Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

Adobe Summit 2023 [19th to 23rd March, Las Vegas and Virtual] | Complete AEM Session & Lab list

AEM 6.3 - SAML - Change the path where the user is saved


Level 3

We are using SAML to authentication users in our Communities environment but by default SAML creates the users in /home/users but for communities we need them in /home/users/community.

Is there a way to change the path (via a config or a java hook) to change where SAML saves these user accounts?

When the user is created in /home/users they cannot see other usernames of posters (only unknown user) because the ACL property for everyone to access the profile lives on the community folder. I could add this to the users folder too but this would seem like a security risk.

Tried making a workflow to move the node that runs on rep:User Created but it fails with the following error:

OakConstraint0063: Attempt to manually create or change a token node or it's parent.

5 Replies


Level 2

You're right, SAML will always create the user under /home/users, irrespective of if you're using communities or not. You'll have to extend the OOB SAML handler to create the node under communities vs /home/users. Be careful though, if you do customize it then all users who authenticate through SAML will have their username created under communities path.


Level 3

Do you know which handler it is? I can't find any docs on it. I tired extending SamlAuthenticationHandler (com.adobe.granite.auth.saml) and overriding  createOrUpdateCRXUser but it doesn't seem to be firing.

Having everyone under communities would be exactly what I am looking for.


Level 2

Here are the steps. You'll have to decompile some of the code if you want to look at it.

1) Decompile the SAML authentication Handler.

2) Create your own COMPANY authentication handler by copy pasting the code from OOB SAML authentication Handler into it.

3) Modify the code in your custom class to create users under communities

4) Disable OOB SAML and enable your COMPANY authentication handler.


Level 4

It appears Adobe support recommends the approach @huzaifaha985211 outlined above as well, but practically, how does one achieve the above steps - i.e. how does one decompile the SAML handler and then reintroduce / compile / install the new modified company handler? Can someone provide the required steps to complete those tasks?


Level 2

we have configured SAML SSO for a published site in 6.2. In SAML Authentication config, there is a setting "default groups" where we have given our custom group name. All users got added to this group.

Not sure how SAML is configured/setup in 6.3.  Hope above inputs help you in some way.