Reading groups membership in Shibboleth 4.0.1

Feinstein, Moses moses.feinstein at
Mon Nov 30 15:01:07 UTC 2020

I am trying to return group membership for the user who is authenticating via Shibboleth 4.0.1

Below configuration works, if I substitute "isMemberOf" in attribute resolver with any other attribute (displayName for example), however for some reason it is unable to read "isMemberOf", it returns nothing for the group membership even though the user is a member of the group (cn=testgroup,ou=Groups,dc=example,dc=org).

Since "isMemberOf" is part of operational attributes, I am not sure if there is anything else that needs to be configured on Shibboleth side.

Am I missing something in my configuration below to be able to read operational attribute "isMemberOf" from the LDAP?

If anyone has a good example on how to read group membership it would be very helpful. Thanks.

                               <AttributeRule attributeID="membership" permitAny="true" />
                              idp.attribute.resolver.LDAP.returnAttributes         = displayName,mail,uid,sn,givenName,isMemberOf

<AttributeDefinition xsi:type="Simple" id="isMemberOf">
    <InputDataConnector ref="myLDAP" attributeNames="isMemberOf" />

<AttributeDefinition id="membership" xsi:type="Mapped">
    <InputAttributeDefinition ref="isMemberOf" />
    <DefaultValue passThru="true"/>

                              <SourceValue caseSensitive="false">cn=testgroup,ou=Groups,dc=example,dc=org</SourceValue>

    <AttributeEncoder xsi:type="SAML2String" name="membership" friendlyName="membership" encodeType="false" />

Ldap user is part of this group:
isMemberOf: cn=testgroup,ou=Groups,dc=example,dc=org

Moses Feinstein
Touro College and University System

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list