AEM 6.3 - SAML - Change the path where the user is saved

Avatar

Avatar
Validate 1
Level 2
gregy68980908
Level 2

Like

1 like

Total Posts

16 posts

Correct reply

1 solution
Top badges earned
Validate 1
Give Back
Ignite 1
Boost 1
Affirm 1
View profile

Avatar
Validate 1
Level 2
gregy68980908
Level 2

Like

1 like

Total Posts

16 posts

Correct reply

1 solution
Top badges earned
Validate 1
Give Back
Ignite 1
Boost 1
Affirm 1
View profile
gregy68980908
Level 2

10-04-2018

We are using SAML to authentication users in our Communities environment but by default SAML creates the users in /home/users but for communities we need them in /home/users/community.

Is there a way to change the path (via a config or a java hook) to change where SAML saves these user accounts?

When the user is created in /home/users they cannot see other usernames of posters (only unknown user) because the ACL property for everyone to access the profile lives on the community folder. I could add this to the users folder too but this would seem like a security risk.

Tried making a workflow to move the node that runs on rep:User Created but it fails with the following error:

OakConstraint0063: Attempt to manually create or change a token node or it's parent.

Replies

Avatar

Avatar
Give Back 10
Level 2
huzaifaha985211
Level 2

Likes

0 likes

Total Posts

25 posts

Correct reply

5 solutions
Top badges earned
Give Back 10
Give Back 5
Give Back 3
Give Back
Affirm 5
View profile

Avatar
Give Back 10
Level 2
huzaifaha985211
Level 2

Likes

0 likes

Total Posts

25 posts

Correct reply

5 solutions
Top badges earned
Give Back 10
Give Back 5
Give Back 3
Give Back
Affirm 5
View profile
huzaifaha985211
Level 2

10-04-2018

You're right, SAML will always create the user under /home/users, irrespective of if you're using communities or not. You'll have to extend the OOB SAML handler to create the node under communities vs /home/users. Be careful though, if you do customize it then all users who authenticate through SAML will have their username created under communities path.

Avatar

Avatar
Validate 1
Level 2
antonym8430968
Level 2

Like

1 like

Total Posts

25 posts

Correct reply

2 solutions
Top badges earned
Validate 1
Boost 1
Affirm 1
View profile

Avatar
Validate 1
Level 2
antonym8430968
Level 2

Like

1 like

Total Posts

25 posts

Correct reply

2 solutions
Top badges earned
Validate 1
Boost 1
Affirm 1
View profile
antonym8430968
Level 2

10-04-2018

we have configured SAML SSO for a published site in 6.2. In SAML Authentication config, there is a setting "default groups" where we have given our custom group name. All users got added to this group.

Not sure how SAML is configured/setup in 6.3.  Hope above inputs help you in some way.

Avatar

Avatar
Validate 1
Level 2
gregy68980908
Level 2

Like

1 like

Total Posts

16 posts

Correct reply

1 solution
Top badges earned
Validate 1
Give Back
Ignite 1
Boost 1
Affirm 1
View profile

Avatar
Validate 1
Level 2
gregy68980908
Level 2

Like

1 like

Total Posts

16 posts

Correct reply

1 solution
Top badges earned
Validate 1
Give Back
Ignite 1
Boost 1
Affirm 1
View profile
gregy68980908
Level 2

11-04-2018

Do you know which handler it is? I can't find any docs on it. I tired extending SamlAuthenticationHandler (com.adobe.granite.auth.saml) and overriding  createOrUpdateCRXUser but it doesn't seem to be firing.

Having everyone under communities would be exactly what I am looking for.

Avatar

Avatar
Give Back 10
Level 2
huzaifaha985211
Level 2

Likes

0 likes

Total Posts

25 posts

Correct reply

5 solutions
Top badges earned
Give Back 10
Give Back 5
Give Back 3
Give Back
Affirm 5
View profile

Avatar
Give Back 10
Level 2
huzaifaha985211
Level 2

Likes

0 likes

Total Posts

25 posts

Correct reply

5 solutions
Top badges earned
Give Back 10
Give Back 5
Give Back 3
Give Back
Affirm 5
View profile
huzaifaha985211
Level 2

11-04-2018

Here are the steps. You'll have to decompile some of the code if you want to look at it.

1) Decompile the SAML authentication Handler.

2) Create your own COMPANY authentication handler by copy pasting the code from OOB SAML authentication Handler into it.

3) Modify the code in your custom class to create users under communities

4) Disable OOB SAML and enable your COMPANY authentication handler.

Avatar

Avatar
Validate 1
Level 2
thisthatheotter
Level 2

Likes

2 likes

Total Posts

20 posts

Correct reply

1 solution
Top badges earned
Validate 1
Ignite 3
Ignite 1
Give Back 3
Give Back
View profile

Avatar
Validate 1
Level 2
thisthatheotter
Level 2

Likes

2 likes

Total Posts

20 posts

Correct reply

1 solution
Top badges earned
Validate 1
Ignite 3
Ignite 1
Give Back 3
Give Back
View profile
thisthatheotter
Level 2

11-11-2020

It appears Adobe support recommends the approach @huzaifaha985211 outlined above as well, but practically, how does one achieve the above steps - i.e. how does one decompile the SAML handler and then reintroduce / compile / install the new modified company handler? Can someone provide the required steps to complete those tasks?