Skip to main content

2026-05-20 New feature: filter holder groups at the IdP login

The new feature

From now on, the service providers who have selected the “Ask for group membership after authentication” option will be able to filter which of these should be selectable with the attribute "Script to filter out group memberships".

Bear in mind

Please note the following points:

  • The holder groups must be correctly configured in Soffid.

  • If there is only one possible holder group, it is selected automatically and is not displayed to the user.

How to configure it?

The following components must be installed:

  • Addon federation 4.0.25 (or higher)

Let's look at an example

Let’s look at an example, here we have the user "user4" who has already set up the holder groups.

image.png

 

We had a service provider that was already selected the option "Ask for group membership after authentication".

image.png

 

The holder groups have several custom attributes (startDate, endDate and status).

image.png

 

We now want to filter the holder groups with the attibute status with the Active value.

image.png

 

So we're going to create a script in the "Script to filter out group memberships" of the service provider.

image.png

 

This is the script.

// Return the groups whose “status” attribute has the value "Active"
//
l = new java.util.ArrayList();
lug = serviceLocator.getGroupService().findUsersGroupByUserName(user.userName);
for (i=0; i<lug.size(); i++) {
  ug = lug.get(i);
  if (ug.attributes!=null &&
      ug.attributes.get("status")!=null &&
      "Active"===ug.attributes.get("status"))
  {
    l.add(ug.group);
  }
}
return l;

Please note that if the script fails or is not configured correctly, the holder groups page will not be displayed.

 

Now, to test it, we’ll log in to the application (the service provider), and these are the IdP’s login pages

image.png

image.png

 

Back to top