AEM User/Group Creation API | Community
Skip to main content
srikanthp689160
srikanthp689160
Level 4
July 16, 2020
Solved

AEM User/Group Creation API

  • July 16, 2020
  • 3 replies
  • 2994 views

Hi,

We are trying to implement Authentication usin OOTB SAML Handler to one of our application. We see an option to auto create users and assign them to default aem user groups. Our requirement is that there are two types of users 1. Dealer Admin and 2. Dealer user. I could not understand how we can differentiate between these two users after successful login using same SAML configuration.

Also out of the below two approaches on user, user group creation and assigning permissions which one is preferable

1. Auto Create users and assign them to user group created manually

2. Create users, user groups and manage permissions manually. With respect to this, does AEM expose any API which can be invoked by IDP or AD to create users and user groups.

 

Any suggestions on this would be very helpful.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Nupur_Jain

Hi @srikanthp689160 

 

AEM SAML Authentiication Handler create users automatically and there is no control over user creation.

But if I understand your requirment correctly, you want to allocate groups to each user on some SAML attributes values of the user, if that is correct, you should mention these attributes in "Syncronized attributes" fields like "employeetype=profile/employeetype" where employeetype is SAML assertion attribute value and it will be added as employeetype property in profile node under created user.

 

Now, You can create a workflow which starts on creation of user node and then assign a proper group to user depending upon users profile properties. The groups can then be used to manage permissions. Even your assignment of group is not dependent on SAML assetion values, you can still achieve group allocation using workflow.

 

Hope it helps!

Thanks,

Nupur

3 replies

Nupur_Jain
Adobe Employee
Nupur_JainAdobe EmployeeAccepted solution
Adobe Employee
July 16, 2020

Hi @srikanthp689160 

 

AEM SAML Authentiication Handler create users automatically and there is no control over user creation.

But if I understand your requirment correctly, you want to allocate groups to each user on some SAML attributes values of the user, if that is correct, you should mention these attributes in "Syncronized attributes" fields like "employeetype=profile/employeetype" where employeetype is SAML assertion attribute value and it will be added as employeetype property in profile node under created user.

 

Now, You can create a workflow which starts on creation of user node and then assign a proper group to user depending upon users profile properties. The groups can then be used to manage permissions. Even your assignment of group is not dependent on SAML assetion values, you can still achieve group allocation using workflow.

 

Hope it helps!

Thanks,

Nupur

    srikanthp689160
    srikanthp689160Author
    Level 4
    July 16, 2020

    Hi nupurjain, Thanks for the information, will try this out. Is there a OOTB way of assigning users to different groups after login?

    A
    Adobe Employee
    aemmarc2Adobe Employee
    Adobe Employee
    July 16, 2020

    The SAML response from whatever Idp you're integrating with should set what groups the user is to be added to. 

     

    The default group is just a group that you may want all users to belong to. Having a default group set is subjective to whatever the requirements are. It may not be necessary.

     

    NOTE -- the groups must pre-exist in AEM, AEM won't automatically create the group if it doesn't exist. 

    It will create the users, but not the group.  

      srikanthp689160
      srikanthp689160Author
      Level 4
      July 16, 2020

      Hi aemmarc, I did not understand what exactly you meant by this statement "The SAML response from whatever Idp you're integrating with should set what groups the user is to be added to. "

      Do you mean, if SAML response contains aem user group name, after successful authentication will the user be mapped to that aem user group automatically? If yes, can you please provide more details on this.

      If no, as nupurjain mentioned we might have to implement workflow or SAMLPostProcessor to assign user to a group after successful login.

      Please correct if the above understanding is worng.

      ChitraMadan
      Community Advisor
      ChitraMadanCommunity Advisor
      Community Advisor
      July 16, 2020

      Hi @srikanthp689160 ,

       

      If you have 2 groups in your IDP - Dealer Admin and Dealer User - make sure you create the same user groups in AEM manually and assign them required permissions.

      The name of the user groups in AEM and in your IDP should match.

       

      And in your SAML Authentication Handler - "Add to Groups" should be enabled by default.

       

      So now when your user is created in AEM it is added to the created group in the AEM (Dealer Admin/Dealer User), based on which group does that user belong to in the IDP.

        srikanthp689160
        srikanthp689160Author
        Level 4
        July 17, 2020

        Hi @chitramadan, do you mean that by making sure crx group name and group name in IDP is exactly same and just enable Add to Groups checkbox and providing Group Memebership with respective SAML attribute, user will be added to that particular group? I will try this out

        Screenshot for reference

         

        Terms & ConditionsAccessibility statement

        Loading footer...