Reading groups membership in Shibboleth 4.0.1

Feinstein, Moses moses.feinstein at
Mon Nov 30 23:07:01 UTC 2020

For, I do have “isMemberOf” listed.

idp.attribute.resolver.LDAP.returnAttributes         = displayName,mail,uid,sn,givenName,isMemberOf

I am able to return all other listed attributes without any issues, it’s just “isMemberOf” that is not returning.

If you have attribute resolver configuration for openldap membership relase, that would be helpful as well. I am going to try the same in openldap and see if I can I parse group membership.

Moses Feinstein
Sr. Software / IAM Engineer, App Dev Dept
Emaill: moses.feinstein at<mailto:moses.feinstein at>

From: users <users-bounces at> On Behalf Of Daniel Fisher
Sent: Monday, November 30, 2020 5:11 PM
To: Shib Users <users at>
Subject: Re: Reading groups membership in Shibboleth 4.0.1

External Email
On Mon, Nov 30, 2020 at 10:01 AM Feinstein, Moses <moses.feinstein at<mailto:moses.feinstein at>> wrote:

Below configuration works, if I substitute “isMemberOf” in attribute resolver with any other attribute (displayName for example), however for some reason it is unable to read “isMemberOf”, it returns nothing for the group membership even though the user is a member of the group (cn=testgroup,ou=Groups,dc=example,dc=org).

Since “isMemberOf” is part of operational attributes, I am not sure if there is anything else that needs to be configured on Shibboleth side.

Am I missing something in my configuration below to be able to read operational attribute “isMemberOf” from the LDAP?

What does your DataConnector configuration look like? Assuming the permissions are correct, requesting isMemberOf specifically is all you need to do.

--Daniel Fisher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list