Shibboleth at NC State » Technical Documentation » Group Membership

Group Membership

Beginning in July 2018, we have started offering an attribute that will pass Wolftech AD group memberships to our Service Provider (SP) clients that request them.

This attribute uses the standard LDAP name and OID:

AttributeID SAML2 Name Suggested ENV Name
isMemberOf urn:oid:1.3.6.1.4.1.5923.1.5.1.1 SHIB_MEMBEROF

Values

Limitations

Requesting This Attribute

Using the Attribute

If you have an existing SP that will add this attribute, you will need to make sure you have added an entry for it in your Attribute Map file. Sites that are using our suggested mappings can simply download the updated file from sample30-attribute-map.xml and replace the copy found on your server at /etc/shibboleth/attribute-map.xml .

If you want to manually add the mapping, edit your /etc/shibboleth/attribute-map.xml file and add an entry like this to it:

<Attribute 
  name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1"
  id="SHIB_MEMBEROF" />

If you are not using our suggested mappings, you can change the id="SHIB_MEMBEROF" entry above to a name of your choice. The SP will return that name as an environment variable to your programs.

After you have updated your map file, restart shibd and test to verify the new attribute is being passed in the environment.

Each group in the list will be separated by a semicolon when the list is passed through the environment. For example, when testing with PHP you might see:

[SHIB_MEMBEROF] => CN=WT-OIT-Shared Services,OU=Managed Groups,OU=NCSU,DC=wolftech,DC=ad,DC=ncsu,DC=edu;CN=WT-NCSU-All Staff,OU=Managed Groups,OU=NCSU,DC=wolftech,DC=ad,DC=ncsu,DC=edu;...

In Htaccess Files

Here's a simple example of how to write an .htaccess file entry to require users that are members of one of three AD groups.

AuthType shibboleth
ShibRequestSetting requireSession true

require shib-attr SHIB_MEMBEROF "CN=NCSU-B-Unity Users,OU=Managed Groups,OU=NCSU,DC=wolftech,DC=ad,DC=ncsu,DC=edu"
require shib-attr SHIB_MEMBEROF "CN=NCSU-D-Unity Users,OU=Managed Groups,OU=NCSU,DC=wolftech,DC=ad,DC=ncsu,DC=edu"
require shib-attr SHIB_MEMBEROF "CN=NCSU-J-Unity Users,OU=Managed Groups,OU=NCSU,DC=wolftech,DC=ad,DC=ncsu,DC=edu"

  1. See OBJECT scope search query thread for technical details. ↩