diff --git a/src/mod_sso/mod_sso.c b/src/mod_sso/mod_sso.c
index 358625b68b11a72ad011fa8b0281907d5be2a9ec..cc46ae272119d26be3003ad2a099c54e6d54af92 100644
--- a/src/mod_sso/mod_sso.c
+++ b/src/mod_sso/mod_sso.c
@@ -46,6 +46,9 @@ typedef struct {
 
   // Note: public_key is a binary buffer (non zero-terminated).
   const unsigned char *public_key;
+
+  // All known groups.
+  apr_array_header_t *groups;
 } modsso_config;
 
 typedef const char *(*CMD_HAND_TYPE) ();
@@ -70,7 +73,8 @@ static void *create_modsso_config(apr_pool_t *p, char *s)
   newcfg->service = NULL;
   newcfg->domain = NULL;
   newcfg->public_key = NULL;
-
+  newcfg->groups = NULL;
+  
   // Return the created configuration struct.
   return (void *)newcfg;
 }
@@ -85,11 +89,13 @@ static void *merge_modsso_config(apr_pool_t *p, void *base, void *add)
   newcfg->login_server = cadd->login_server ? cadd->login_server : cbase->login_server;
   newcfg->service = cadd->service ? cadd->service : cbase->service;
   newcfg->domain = cadd->domain ? cadd->domain : cbase->domain;
-
   newcfg->public_key = cbase->public_key;
   if (cadd->public_key) {
     newcfg->public_key = cadd->public_key;
-  }    
+  }
+
+  // Groups are not merged, last takes precedence (if set).
+  newcfg->groups = cadd->groups ? cadd->groups : cbase->groups;
 
   return (void *)newcfg;
 }
@@ -140,6 +146,25 @@ static const char *set_modsso_public_key_file(cmd_parms *parms, void *mconfig, c
   return NULL;
 }
 
+static apr_array_header_t *parse_commasep_groups(apr_pool_t *pool, const char *commaseplist) {
+  apr_array_header_t *arr = apr_array_make(pool, 1, sizeof(const char *));
+  char *tokenizerCtx = NULL, *group;
+  char *tmp = apr_pstrdup(pool, commaseplist);
+  group = apr_strtok(tmp, ",", &tokenizerCtx);
+  do {
+    *(const char **)apr_array_push(arr) = group;
+    group = apr_strtok(NULL, ",", &tokenizerCtx);
+  } while (group != NULL);
+  return arr;
+}
+
+static const char *set_modsso_groups(cmd_parms *parms, void *mconfig, const char *arg)
+{
+  modsso_config *s_cfg = (modsso_config *)mconfig;
+  s_cfg->groups = parse_commasep_groups(/* global pool?? */NULL, arg);
+  return NULL;
+}
+
 static const command_rec mod_sso_cmds[] =
 {
   AP_INIT_TAKE1("SSOLoginServer", (CMD_HAND_TYPE) set_modsso_login_server, 
@@ -154,6 +179,9 @@ static const command_rec mod_sso_cmds[] =
   AP_INIT_TAKE1("SSOPublicKeyFile", (CMD_HAND_TYPE) set_modsso_public_key_file, 
 		NULL, RSRC_CONF,
 		"SSOPublicKeyFile (string) Location of the login server public key"),
+  AP_INIT_TAKE1("SSOGroups", (CMD_HAND_TYPE) set_modsso_groups,
+                NULL, RSRC_CONF,
+                "SSOGroups (string) comma-separated list of all the groups that we might want to check membership for"),
   {NULL}
 };