Highlighted

AEM 6.3 - SAML - Change the path where the user is saved

gregy68980908

10-04-2018

We are using SAML to authentication users in our Communities environment but by default SAML creates the users in /home/users but for communities we need them in /home/users/community.

Is there a way to change the path (via a config or a java hook) to change where SAML saves these user accounts?

When the user is created in /home/users they cannot see other usernames of posters (only unknown user) because the ACL property for everyone to access the profile lives on the community folder. I could add this to the users folder too but this would seem like a security risk.

Tried making a workflow to move the node that runs on rep:User Created but it fails with the following error:

OakConstraint0063: Attempt to manually create or change a token node or it's parent.

Replies

Highlighted

huzaifaha985211

10-04-2018

You're right, SAML will always create the user under /home/users, irrespective of if you're using communities or not. You'll have to extend the OOB SAML handler to create the node under communities vs /home/users. Be careful though, if you do customize it then all users who authenticate through SAML will have their username created under communities path.

Highlighted

antonym8430968

10-04-2018

we have configured SAML SSO for a published site in 6.2. In SAML Authentication config, there is a setting "default groups" where we have given our custom group name. All users got added to this group.

Not sure how SAML is configured/setup in 6.3.  Hope above inputs help you in some way.

Highlighted

gregy68980908

11-04-2018

Do you know which handler it is? I can't find any docs on it. I tired extending SamlAuthenticationHandler (com.adobe.granite.auth.saml) and overriding  createOrUpdateCRXUser but it doesn't seem to be firing.

Having everyone under communities would be exactly what I am looking for.

Highlighted

huzaifaha985211

11-04-2018

Here are the steps. You'll have to decompile some of the code if you want to look at it.

1) Decompile the SAML authentication Handler.

2) Create your own COMPANY authentication handler by copy pasting the code from OOB SAML authentication Handler into it.

3) Modify the code in your custom class to create users under communities

4) Disable OOB SAML and enable your COMPANY authentication handler.