diff --git a/saml/saml.go b/saml/saml.go
index 64a39e9bcbb5c518185c594f965551328ff3eec8..471af5ad1ee9af1bfa0df3b2ab4cf3b143e43f22 100644
--- a/saml/saml.go
+++ b/saml/saml.go
@@ -124,6 +124,20 @@ func (c *Config) GetSSOGroups(serviceProviderID string) []string {
 	return sp.SSOGroups
 }
 
+func (c *Config) GetAllSSOGroups() []string {
+	tmp := make(map[string]struct{})
+	for _, sp := range c.serviceProviderMap {
+		for _, group := range sp.SSOGroups {
+			tmp[group] = struct{}{}
+		}
+	}
+	var out []string
+	for group := range tmp {
+		out = append(out, group)
+	}
+	return out
+}
+
 // Read users from a YAML-encoded file, in a format surprisingly
 // compatible with git.autistici.org/id/auth/server.
 //
@@ -311,7 +325,7 @@ func NewSAMLIDP(config *Config) (http.Handler, error) {
 	h := idp.Handler()
 
 	root := mux.NewRouter()
-	root.PathPrefix(ssoURL.Path).Handler(w.Wrap(h, svc, nil))
+	root.PathPrefix(ssoURL.Path).Handler(w.Wrap(h, svc, config.GetAllSSOGroups()))
 	root.Handle(metadataURL.Path, h)
 	return root, nil
 }