Adobe Experience Manager Sites & More

Abie · 3/11/24

Hi,

We are trying to setup CUG on our AEM Cloud instance. We are bumping into a problem wherein the AEM Publish instance is unable to synchronize group information (of a user) from IDP. AEM publisher authenticates user directly with Azure IDP, which sends information like first name, group etc to AEM publisher. Somehow, the publisher is unable to process/save the group information (but is able to save firstname, lastname). However, this works well on the author instance and we are able to see the group information along with user profile in /home/users. Since it works well on author but not on publisher, I don't think there is any issue with IDP configuration.

The key differentiator between author and publisher is that the author authenticates user with Adobe IMS that internally synchronizes users from IDP; whereas the publisher is directly connector to authorize users with the IDP.

Another difference between author and publisher is - If I login multiple times on author (different sessions), a new authorizable node is created in /home/user, whereas, on author the same user node is synchronized upon subsequent logins.

Would be great to get insights into this behavior and get some solution around this topic.

Thanks!

SureshDhulipudi · 3/11/24

AEM Publisher do not have the User Sync Process like AEM author instance has. This is AEM behaviour.

This means that user and group data is not synchronized from the Identity Provider (IdP) to the publish instances.

This is part of Security reasons . User data is sensitive and should be secured.

As for the Closed User Group (CUG) functionality, it should still work on the publish instances. CUGs are based on group memberships, and the group memberships are included in the SAML assertion from the IdP. AEM uses this information to determine whether a user is a member of a CUG and should be granted access to the content.

Check your CUG configurations and SAML configuration in AEM and your IdP.

View solution in original post

SureshDhulipudi · 3/11/24

AEM Publisher do not have the User Sync Process like AEM author instance has. This is AEM behaviour.

This means that user and group data is not synchronized from the Identity Provider (IdP) to the publish instances.

This is part of Security reasons . User data is sensitive and should be secured.

As for the Closed User Group (CUG) functionality, it should still work on the publish instances. CUGs are based on group memberships, and the group memberships are included in the SAML assertion from the IdP. AEM uses this information to determine whether a user is a member of a CUG and should be granted access to the content.

Check your CUG configurations and SAML configuration in AEM and your IdP.

Abie · 3/15/24

Hi @SureshDhulipudi ,

Thanks for your response. I have been trying to read documentation around what you mentioned but couldn't find anything official from Adobe that the group sync won't happen for publisher and if this is a security concern. Could you please share something that I read through?

If Adobe says that this is not possible, I am more than happy to close the topic but we need confirmation or documentation from Adobe.

P.S. - One of my colleagues has achieved this in the past in a on-prem AEM instance. That's why it is difficult to believe that the feature is now a security threat.

Thanks!

Raja_Reddy · 3/11/24

Hi @Abie

It seems like there might be an issue with the synchronization of group information from the IDP to the AEM Publish instance. Since the group information is being saved successfully on the AEM Author instance, it suggests that the issue might be specific to the AEM Publish instance.

One possible reason for this behavior could be a misconfiguration or missing configuration on the AEM Publish instance. It's worth checking the configuration settings related to user synchronization and group mapping on the AEM Publish instance to ensure they are correctly set up.

Additionally, you mentioned that the AEM Author instance authenticates users with Adobe IMS, while the AEM Publish instance directly connects to the IDP for user authentication. This difference in authentication methods could also be a factor contributing to the issue. It's important to ensure that the IDP configuration is correctly set up for both the AEM Author and P toublish instances.

To further investigate and troubleshoot the issue, you can check the AEM logs on the Publish instance for any error messages or warnings related to user synchronization or group mapping. These logs might provide more insights into the specific problem.

Abie · 3/15/24

Hi @Raja_Reddy ,

Thanks for your response. We are definitely trying to debug this issue by checking logs etc.

The authentication difference between author and publisher is not really a difference, its by architecture. So, nothing much we can change there.

Question - Have you seen below behavior in AEM cloud? We want to rule out if this is really a concern or not?

"Another difference between author and publisher is - If I login multiple times on author (different sessions), a new authorizable node is created in /home/user, whereas, on author the same user node is synchronized upon subsequent logins."

Thanks!

Adobe Experience Manager Sites & More

AEM Cloud, Closed user group (CUG) IDP sync for groups

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe