GroupMember is required or not for saml authentication handler

Question

Hi ,I am using the saml authentication handler to integrated with IDP(Identity Directory Provider) in AEM configuration console. When do the sync up with IDP, is the GroupMembership is required from IDP saml attribute? As I am considering this is may related to the user permissions after user authenticated by IDP successfully. if IDP doesn't provide the group attribute information, may I just use default group settings in AEM to make sure the user will be added to CRX group (contributor) and grant the necessary the permission to view the AEM resources? Because for now I am getting a HTTP 403 Error of AEM page after IDP authenticated, I think that would be AEM permission problem for this new sync user from IDP.[img]AEMConsole.jpg[/img]

Sham_HC · Accepted Answer

Hi Wang OwenWith sp1 it is bug & is fixed in sp2. Please wait till sp2 release Or file daycare to get hotfix.Thanks,Sham

surya_raju · Answer

Hi Sham and Wang Owen,we are have successfully integrated our IDP with AEM 6.0 (sp1) through SAML authentication handler.@Wang Owen: we have also faced the403 error. oncethe user gets authenticated byIDP our AEM is giving 403 error( please note that we are also not passing any group attribute in the SAML response).below are the steps we have done to overcome this issue:1) In the "Apache Sling Referrer Filter" in the "Allow hosts" option we have to givethe name of the host name in the format "www.:". 2) verify the certificates that is being created and between AEM and IDP. make sure youhave create a node called private under /etc/key/saml and uploded the private key in pkcs#8 format.passing group attribute in not mandatory, just uncheck "Add to Groups". user will be created in the AEM and assigned to the group "everyone".RegardsSurya Raju

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded