diff --git a/api/src/Auth/Saml.php b/api/src/Auth/Saml.php
index a8e732f9e6..9230612dc0 100644
--- a/api/src/Auth/Saml.php
+++ b/api/src/Auth/Saml.php
@@ -146,6 +146,10 @@ class Saml implements BackendSSO
 				];
 			}
 		}
+
+		// check affiliation / group to add or remove
+		self::checkAffiliation($username, $attrs, $GLOBALS['auto_create_acct']);
+
 		// return user session
 		return $GLOBALS['egw']->session->create($username, null, null, false, false);
 	}
@@ -530,6 +534,56 @@ class Saml implements BackendSSO
 		return self::emailAddress;
 	}
 
+	/**
+	 * eduPersonAffiliation attribute
+	 */
+	const eduPersonAffiliation = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.1';
+
+	/**
+	 * Check if a group is specified depending on an affiliation attribute
+	 *
+	 * @param string $username
+	 * @param array $attrs
+	 * @param ?array& $auto_create_acct reference to $GLOBALS['auto_create_acct'] for not existing accounts
+	 * @param array|null $config
+	 * @return mixed|string|null
+	 */
+	private function checkAffiliation($username, array $attrs, array &$auto_create_acct=null, array $config=null)
+	{
+		if (!isset($config)) $config = $GLOBALS['egw_info']['server'];
+
+		// check if affiliation is configured and attribute returned by IdP
+		$attr = $config['saml_affiliation'] === 'eduPersonAffiliation' ? self::eduPersonAffiliation : $config['saml_affiliation_oid'];
+		if (!empty($attr) && !empty($attrs[$attr]) && !empty($config['saml_affiliation_group']) && !empty($config['saml_affiliation_values']) &&
+			($gid = $GLOBALS['egw']->accounts->name2id($config['saml_affiliation_group'], 'account_id', 'g')))
+		{
+			if (!isset($auto_create_acct) && ($accout_id = $GLOBALS['egw']->accounts->name2id($username, 'account_id', 'u')))
+			{
+				$memberships = $GLOBALS['egw']->accounts->memberships($accout_id, true);
+			}
+			// check if attribute matches given values to add the extra membership
+			if (array_intersect($attrs[$attr], preg_split('/, */', $config['saml_affiliation_values'])))
+			{
+				if (isset($auto_create_acct))
+				{
+					$auto_create_acct['add_group'] = $gid;
+				}
+				elseif ($accout_id && !in_array($gid, $memberships))
+				{
+					$memberships[] = $gid;
+					$GLOBALS['egw']->accounts->set_memberships($memberships, $accout_id);
+				}
+			}
+			// remove membership, if it's set
+			elseif ($accout_id && ($key = array_search($gid, $memberships, false)) !== false)
+			{
+				unset($memberships[$key]);
+				$GLOBALS['egw']->accounts->set_memberships($memberships, $accout_id);
+			}
+		}
+		error_log(__METHOD__."('$username', ".json_encode($attrs).", ".json_encode($auto_create_acct).") attr=$attr, gid=$gid --> account_id=$accout_id, memberships=".json_encode($memberships));
+	}
+
 	/**
 	 * Create simpleSAMLphp default configuration
 	 *
diff --git a/setup/lang/egw_de.lang b/setup/lang/egw_de.lang
index 580f2062ec..3b26457575 100644
--- a/setup/lang/egw_de.lang
+++ b/setup/lang/egw_de.lang
@@ -169,6 +169,7 @@ click <a href="index.php">here</a> to return to setup.	setup	de	<a href="index.p
 click here	setup	de	Hier klicken
 click here to re-run the installation tests	setup	de	zum Wiederholen der Installationstests hier klicken
 comma separated ip-addresses or host-names, default access to setup from everywhere	setup	de	Komma getrennte IP-Adressen oder Hostnamen, Vorgabe Zugriff von überall
+comma-separated provider names or json	setup	de	Komma-getrennte Authentifizierungstypen oder JSON
 commercial support	setup	de	Kommerzieller Support
 community forum	setup	de	Community Forum
 complete path to aspell program	setup	de	Vollständiger Pfad zum Programm ASPELL
@@ -363,6 +364,7 @@ if using cas (central authentication service):	setup	de	Wenn Sie CAS (Central Au
 if using ldap	setup	de	Wenn Sie LDAP verwenden
 if using ldap, do you want to manage homedirectory and loginshell attributes?	setup	de	Wenn Sie LDAP verwenden, wollen Sie Benutzerverzeichnisse und Kommandointerpreter verwalten ?
 if using mail authentication	setup	de	Wenn Sie Mail Authentifizierung verwenden
+if using multiple authentication providers:	setup	de	Wenn mehrere Authentifizierungtypen verwenden werden sollen:
 if using saml 2.0 / shibboleth / simplesamlphp	setup	de	Wenn Sie SAML 2.0 / Shibboleth / SimpleSAMLphp benutzen
 if you can only access the docroot choose <b>database</b> for where to store the file content and use same path as for temporary files.	setup	de	Wenn Sie nur die Documentroot erreichen können, wählen Sie bei Inhalt von Dateien speichern <b>Datenbank</b> UND benutzen Sie hier den Pfad für temporäre Dateien.
 if you did not receive any errors, your applications have been	setup	de	Wenn Sie keine Fehlermeldungen erhalten, wurden Ihre Anwendungen
@@ -558,7 +560,9 @@ restore failed	setup	de	Wiederherstellen fehlgeschlagen
 restore finished	setup	de	Wiederherstellen beendet
 restore started, this might take a few minutes ...	setup	de	Wiederherstellung gestartet, das kann einige Minuten dauern ...
 restoring a backup will delete/replace all content in your database. are you sure?	setup	de	Das Wiederherstellen einer Datensicherung löscht / ersetzt den Inhalt Ihrer Datenbank. Sind Sie sicher?
+result data to add or remove extra membership	setup	de	Ergebnisattribute um zusätzliche Mitgliedschaften hinzu zu fügen oder zu entfernen
 result data to use as username	setup	de	Ergebnisattribute das als Benutzername verwendet wird
+result values (comma-separated) and group-name to add or remove	setup	de	Attributewerte (durch Komma getrennt) und Gruppenname der hinzu gefügt oder entfernt wird
 return to setup	setup	de	Zurück zum Setup
 root dn	setup	de	Root DN
 root dn password	setup	de	Root DN Passwort
diff --git a/setup/lang/egw_en.lang b/setup/lang/egw_en.lang
index 2c2954bee8..1e27a3cdfc 100644
--- a/setup/lang/egw_en.lang
+++ b/setup/lang/egw_en.lang
@@ -170,6 +170,7 @@ click <a href="index.php">here</a> to return to setup.	setup	en	Click <a href="i
 click here	setup	en	Click here
 click here to re-run the installation tests	setup	en	Click here to re-run the installation tests
 comma separated ip-addresses or host-names, default access to setup from everywhere	setup	en	Comma separated IP addresses or host names, default access to setup from everywhere
+comma-separated provider names or json	setup	en	Comma-separated provider names or JSON
 commercial support	setup	en	Commercial support
 community forum	setup	en	Community forum
 complete path to aspell program	setup	en	Complete path to aspell program
@@ -366,6 +367,7 @@ if using cas (central authentication service):	setup	en	if using cas (Central Au
 if using ldap	setup	en	If using LDAP
 if using ldap, do you want to manage homedirectory and loginshell attributes?	setup	en	If using LDAP, do you want to manage home directory and login shell attributes?
 if using mail authentication	setup	en	If using Mail authentication
+if using multiple authentication providers:	setup	en	If using Multiple authentication providers:
 if using saml 2.0 / shibboleth / simplesamlphp	setup	en	If using SAML 2.0 / Shibboleth / SimpleSAMLphp
 if you can only access the docroot choose <b>database</b> for where to store the file content and use same path as for temporary files.	setup	en	If you can only access the docroot choose <b>Database</b> for where to store the file content AND use same path as for temporary files.
 if you did not receive any errors, your applications have been	setup	en	If you did not receive any errors, your applications have been
@@ -562,7 +564,9 @@ restore failed	setup	en	Restore failed!
 restore finished	setup	en	Restore finished!
 restore started, this might take a few minutes ...	setup	en	Restore started, this might take a few minutes ...
 restoring a backup will delete/replace all content in your database. are you sure?	setup	en	Restoring a backup will delete/replace all content in your database. Are you sure?
+result data to add or remove extra membership	setup	en	Result data to add or remove extra membership
 result data to use as username	setup	en	Result data to use as username
+result values (comma-separated) and group-name to add or remove	setup	en	Result values (comma-separated) and group-name to add or remove
 return to setup	setup	en	Return to setup
 root dn	setup	en	Root DN
 root dn password	setup	en	Root DN password
diff --git a/setup/templates/default/config.tpl b/setup/templates/default/config.tpl
index 070f48c8cf..abf75acc50 100644
--- a/setup/templates/default/config.tpl
+++ b/setup/templates/default/config.tpl
@@ -529,6 +529,25 @@
     </td>
    </tr>
 
+   <tr class="row_on">
+    <td>{lang_Result_data_to_add_or_remove_extra_membership}:</td>
+    <td>
+     <select name="newsettings[saml_affiliation]">
+      <option value="eduPersonAffiliation"{selected_saml_affiliation_eduPersonAffiliation}>eduPersonAffiliation</option>
+      <option value="custom"{selected_saml_affiliation_customOid}>{lang_custom_OID}</option>
+     </select>
+     <input name="newsettings[saml_affiliation_oid]" value="{value_saml_affiliation_oid}" placeholder="urn:oid:x.x.x.x" size="40" />
+    </td>
+   </tr>
+
+   <tr class="row_off">
+    <td>{lang_Result_values_(comma-separated)_and_group-name_to_add_or_remove}:</td>
+    <td>
+     <input name="newsettings[saml_affiliation_values]" value="{value_saml_affiliation_values}" placeholder="staff, ..." size="30" />
+     <input name="newsettings[saml_affiliation_group]" value="{value_saml_affiliation_group}" placeholder="Teachers" size="30" />
+    </td>
+   </tr>
+
    <tr class="row_on">
     <td>{lang_Allow_SAML_logins_to_join_existing_accounts}:<br/>({lang_Requires_SAML_optional_on_login_page_and_user_to_specify_username_and_password})</td>
     <td>