SAML2 - AEM CaaS issue for existing user in AEM not able to logged to repo | Community
Skip to main content
A
ASHISHIBM
Level 2
April 3, 2025
Solved

SAML2 - AEM CaaS issue for existing user in AEM not able to logged to repo

  • April 3, 2025
  • 3 replies
  • 520 views

I am working on use case where we are integrating SAML with our application , basically for new user login we are setting up createUser as false so that whenever user is logged in from IDP server , that user should not create in AEM .

For existing user in AEM publish environment , it  should redirect to our portal , here no group is being return in Assertion response .Below is my SAML config

{
"path": [ "/content/csc-aem-commons/us/en", "/content/ipg-asc"],
"idpCertAlias": "$[env:SAML_IDP_CERT_ALIAS;default=certalias___1732570622676]",
"idpIdentifier": "$[env:SAML_IDP_ID;default=https://login.microsoftonline.com/d026e4c1-5892-497a-b9da-ee493c9f0364]",
"idpUrl": "$[env:SAML_IDP_URL;default=https://login.microsoftonline.com/d026e4c1-5892-497a-b9da-ee493c9f0364/saml2]",
"serviceProviderEntityId": "$[env:SAML_AEM_ID;default=https://publish-p135571-e1386830.adobeaemcloud.com]",
"useEncryption": false,
"userIDAttribute": "",
"createUser": false,
"userIntermediatePath": "ipg/idp",
"synchronizeAttributes":[
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress=profile/email",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname=profile/givenName",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname=profile/familyName"
],
"addGroupMemberships": true,
"groupMembershipAttribute": "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups",
"defaultGroups": [
"Aem_deu_glb_agency_user"
],
"handleLogout":true
}

 

Problem :  we are getting an error for existin user as login token is not found , can someone help how can we fix this 

Getting this error

 [qtp1635739700-1008] com.adobe.granite.auth.saml.extidp.DefaultUserSync User synchronization failed: Could not access repository.
javax.jcr.RepositoryException: Failed to generate login-token: Could not access Repository
    at com.day.crx.security.token.TokenUtil.createCredentials(TokenUtil.java:103) [com.day.crx.sling.crx-auth-token:2.8.0]
    at com.adobe.granite.auth.saml.extidp.DefaultUserSync.process(DefaultUserSync.java:107) [com.adobe.granite.auth.saml:1.0.62]
    at com.adobe.granite.auth.saml.SamlAuthenticationHandler.syncUser(SamlAuthenticationHandler.java:947) [com.adobe.granite.auth.saml:1.0.62]
    at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:939) [com.adobe.granite.auth.saml:1.0.62]
    at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:551) [com.adobe.granite.auth.saml:1.0.62]
    at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:77) [org.apache.sling.auth.core:1.6.2]
    at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60) [org.apache.sling.auth.core:1.6.2]
    at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:664) [org.apache.sling.auth.core:1.6.2]
    at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:453) [org.apache.sling.auth.core:1.6.2]
    at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:427) [org.apache.sling.auth.core:1.6.2]
    at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:122) [org.apache.sling.engine:2.15.18]
    at org.apache.felix.http.base.internal.wrappers.ServletContextHelperWrapper.handleSecurity(ServletContextHelperWrapper.java:48) [org.apache.felix.http.jetty:5.1.26]
    at org.apache.felix.http.base.internal.whiteboard.PerBundleServletContextImpl.handleSecurity(PerBundleServletContextImpl.java:88) [org.apache.felix.http.jetty:5.1.26]
    at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:58)
This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by ashishg1547773

basically in cloud IMS groups does not work on publish environment , we have to create seperate groups in AEM publish and provide permission .

Also when user is logged in through SAML , it got created under /idp folder and all the groups that are the part of saml response with attribute as groupmembership will attached to this user after logged in .

3 replies

konstantyn_diachenko
Community Advisor
konstantyn_diachenkoCommunity Advisor
Community Advisor
April 3, 2025

Hi @ashishibm ,

 

Does your existing user on publish have any permissions?

 

Try to disable addGroupMemberships and don't provide groupMembershipAttribute. 

 

Best regards,

Kostiantyn Diachenko.

 

 

Kostiantyn Diachenko, Community Advisor, Certified Senior AEM Developer, creator of free AEM VLT Tool, maintainer of AEM Tools plugin.
    kautuk_sahni
    Community Manager
    kautuk_sahniCommunity Manager
    Community Manager
    April 14, 2025

    @ashishibm Did you find the suggestions helpful? If you need more information, please let us know. If a response resolved your issue, kindly mark it as correct to help others in the future. Alternatively, if you discovered a solution on your own, we'd appreciate it if you could share it with the community. Thank you !

    Kautuk Sahni
    A
    Adobe Employee
    ashishg1547773Adobe EmployeeAccepted solution
    Adobe Employee
    May 16, 2025

    basically in cloud IMS groups does not work on publish environment , we have to create seperate groups in AEM publish and provide permission .

    Also when user is logged in through SAML , it got created under /idp folder and all the groups that are the part of saml response with attribute as groupmembership will attached to this user after logged in .

      Terms & ConditionsAccessibility statement

      Loading footer...