Add the ability to choose an HTTP header to pass groups informations related to the user. so w'll have on header for the user id and one (optionnal) for group(s) info. (coma separated fro ex.)

An other possibility could be to allow to combine reverse-proxy-auth (for user identification) and a script from script-security-realm to get only the groups of the user.