From now on, the **service providers** who have selected the “**Ask for group membership after authentication**” option will be able to filter which of these should be selectable with the attribute "**Script to filter out group memberships**".
### Bear in mind Please note the following points: - The **holder groups** **must be** correctly **configured** in Soffid. - If there is only **one** possible **holder group**, it is **selected automatically** and is not displayed to the user. ### How to configure it? The following **components** must be installed: - Addon federation 4.0.25 (or higher) ### Let's look at an example Let’s look at an example, here we have the user "**user4**" who has already set up the **holder groups**. [](https://bookstack.soffid.com/uploads/images/gallery/2026-05/JpAKXBOb9tYRKvLA-image.png) We had a **service provider** that was already selected the option "**Ask for group membership after authentication**". [](https://bookstack.soffid.com/uploads/images/gallery/2026-05/kP8QV9hPqFVt8sdA-image.png) The holder groups have several **custom attributes** (startDate, endDate and status). [](https://bookstack.soffid.com/uploads/images/gallery/2026-05/jSgdoRMeh0qAllS1-image.png) We now want to **filter** the **holder groups** with the attibute **status** with the **Active** value. [](https://bookstack.soffid.com/uploads/images/gallery/2026-05/YqrDoi5j8iFQ3WLV-image.png) So we're going to create a script in the "**Script to filter out group memberships**" of the service provider. [](https://bookstack.soffid.com/uploads/images/gallery/2026-05/9PjFDOz2srel64TD-image.png) This is the script. ``` // Return the groups whose “status” attribute has the value "Active" // l = new java.util.ArrayList(); lug = serviceLocator.getGroupService().findUsersGroupByUserName(user.userName); for (i=0; iNow, when an account is **disabled**, its **password** is **deleted**. Afterwards, if the user changes his password, the disabled account will still have no password. If the disabled account is **enabled**, the agent of the account will **set** the password of the **password domain** to the account and send it to the target system.
### Bear in mind Please note the following points: - The user's **password domain** will have **value** once at least one password has been assigned. - The account must be a **single-user account**; these are the ones that can be viewed in a user’s accounts tab. ### How to configure it? The following **components** must be installed: - Console 4.0.57 (or higher) - Syncserver 4.0.35 (or higher) - SAP plugin 4.0.2 (or higher) ### Let's look at an example Let’s look at an example, here we have the user "**ethan\_miller**" to whom we are going to assign the password "**Dummy01.**". [](https://bookstack.soffid.com/uploads/images/gallery/2026-06/8KacmI0v1LGoDJfV-image.png) You can check your password on the "**My accounts**" page, click on the "**View password**" of the "**app-demo**" account. [](https://bookstack.soffid.com/uploads/images/gallery/2026-06/xcUYNTHc1zmEcTHX-image.png) Now let's **disable** the "app-demo" account. [](https://bookstack.soffid.com/uploads/images/gallery/2026-06/6t1qrUFAOBlmIeqP-image.png) Check the password again, it must be empty. [](https://bookstack.soffid.com/uploads/images/gallery/2026-05/BeGQeZT3Rla7fpaH-image.png) We are going to assign a new password "**Dummy02.**". [](https://bookstack.soffid.com/uploads/images/gallery/2026-06/18lgUFrATVmk75jn-image.png) The other account has the new password. [](https://bookstack.soffid.com/uploads/images/gallery/2026-06/gT7ORlraCtVORk9z-image.png) **Enable** the "app-demo" account. [](https://bookstack.soffid.com/uploads/images/gallery/2026-06/ZA3P6gdNmBQCncYV-image.png) Check the account with the new password. [](https://bookstack.soffid.com/uploads/images/gallery/2026-06/FR3F7F3Qdx8kpCs6-image.png)