Reading groups membership in Shibboleth 4.0.1

Daniel Fisher dfisher at
Mon Nov 30 22:11:15 UTC 2020

On Mon, Nov 30, 2020 at 10:01 AM Feinstein, Moses <moses.feinstein at>

> Below configuration works, if I substitute “isMemberOf” in attribute
> resolver with any other attribute (displayName for example), however for
> some reason it is unable to read “isMemberOf”, it returns nothing for the
> group membership even though the user is a member of the group
> (cn=testgroup,ou=Groups,dc=example,dc=org).
> Since “isMemberOf” is part of operational attributes, I am not sure if
> there is anything else that needs to be configured on Shibboleth side.
> Am I missing something in my configuration below to be able to read
> operational attribute “isMemberOf” from the LDAP?

What does your DataConnector configuration look like? Assuming the
permissions are correct, requesting isMemberOf specifically is all you need
to do.

--Daniel Fisher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list