Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.

AEM 6.3 - SAML - Change the path where the user is saved

Avatar

Level 3

We are using SAML to authentication users in our Communities environment but by default SAML creates the users in /home/users but for communities we need them in /home/users/community.

Is there a way to change the path (via a config or a java hook) to change where SAML saves these user accounts?

When the user is created in /home/users they cannot see other usernames of posters (only unknown user) because the ACL property for everyone to access the profile lives on the community folder. I could add this to the users folder too but this would seem like a security risk.

Tried making a workflow to move the node that runs on rep:User Created but it fails with the following error:

OakConstraint0063: Attempt to manually create or change a token node or it's parent.

5 Replies

Avatar

Level 2

You're right, SAML will always create the user under /home/users, irrespective of if you're using communities or not. You'll have to extend the OOB SAML handler to create the node under communities vs /home/users. Be careful though, if you do customize it then all users who authenticate through SAML will have their username created under communities path.

Avatar

Level 3

Do you know which handler it is? I can't find any docs on it. I tired extending SamlAuthenticationHandler (com.adobe.granite.auth.saml) and overriding  createOrUpdateCRXUser but it doesn't seem to be firing.

Having everyone under communities would be exactly what I am looking for.

Avatar

Level 2

Here are the steps. You'll have to decompile some of the code if you want to look at it.

1) Decompile the SAML authentication Handler.

2) Create your own COMPANY authentication handler by copy pasting the code from OOB SAML authentication Handler into it.

3) Modify the code in your custom class to create users under communities

4) Disable OOB SAML and enable your COMPANY authentication handler.

It appears Adobe support recommends the approach @huzaifaha985211 outlined above as well, but practically, how does one achieve the above steps - i.e. how does one decompile the SAML handler and then reintroduce / compile / install the new modified company handler? Can someone provide the required steps to complete those tasks?

Avatar

Level 2

we have configured SAML SSO for a published site in 6.2. In SAML Authentication config, there is a setting "default groups" where we have given our custom group name. All users got added to this group.

Not sure how SAML is configured/setup in 6.3.  Hope above inputs help you in some way.