SAML IdP: Pass nested group memberships as attributes

Hi there,

I’d like to pass “nested” group memberships of users to SAML service providers as attributes in SAML responses.

Say user U is member of group G1, but not directly of group G2. G1 is member of G2.

The package “univention-ldap-overlay-memberof” only passes G1 in the memberOf attribute for U but the SP needs the indirect membership in G2 as well.

SimpleSAMLphp offers the processing filter ldap:AttributeAddUsersGroups which provides this functionality. Unfortunately this filter seems not to work in UCS, if I add it to the configuration and I get the following error:


0 /usr/share/simplesamlphp/www/module.php:180 (N/A)
Caused by: SimpleSAML_Error_Exception: ldap:AttributeAddUsersGroups : Authsource [univention-ldap] specified in filter parameters is not an ldap:LDAP type
9 /usr/share/simplesamlphp/modules/ldap/lib/Auth/Process/BaseFilter.php:130 (sspmod_ldap_Auth_Process_BaseFilter::__construct)
8 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/ProcessingChain.php:154 (SimpleSAML_Auth_ProcessingChain::parseFilter)
7 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/ProcessingChain.php:130 (SimpleSAML_Auth_ProcessingChain::parseFilterList)
6 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/ProcessingChain.php:58 (SimpleSAML_Auth_ProcessingChain::__construct)
5 /usr/share/simplesamlphp/lib/SimpleSAML/IdP.php:325 (SimpleSAML_IdP::postAuth)
4 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/Source.php:229 (SimpleSAML_Auth_Source::loginCompleted)
3 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/Source.php:145 (SimpleSAML_Auth_Source::completeAuth)
2 /usr/share/simplesamlphp/modules/core/lib/Auth/UserPassBase.php:266 (sspmod_core_Auth_UserPassBase::handleLogin)
1 /usr/share/simplesamlphp/modules/core/www/loginuserpass.php:67 (require)
0 /usr/share/simplesamlphp/www/module.php:137 (N/A)

Reason for that is the UCS LDAP authentication source uses the notation ‘uldap:uLDAP’ instead of the standard ‘ldap:LDAP’. This type is asserted in simplesamlphp/modules/ldap/lib/Auth/Process/BaseFilter.php. Removing the assertion in the source code fixes this issue but I don’t consider this a good idea.

Is there a way to use ‘ldap:AttributeAddUsersGroups’ without changing the SimpleSAMLphp source code or is there an other way to pass “nested” group memberships to the SP?

Best regards,

1 Like


I would really preciate this too for using SAML wit authorization based on Groupmemberships. Actually it seems that memberOf sends the Groups in LDAP notation.

Please Univention make this SimpleSAML filter ldap:AttributeAddUsersGroups as a Option avaible in SAML RP configuration.

kind regards