Adobe Experience Manager Sites & More

SDusane · 24/03/2025

Hi Team,

I am using SAML 2.0 Authentication for external users authentication on our portal.

Where I have a usecase, I want to add the user to multiple groups when they are authenticated, I am using below properties

addGroupMemberships : true

groupMembershipAttribute : "http://schemas.test.com/groups-name", [ which will result in "group1, group2" values]

Once authenticated, the users are not getting added to both the groups, it is working when I pass only one group name but not for more than one.

How can I pass more than 1 group in this property, Shall I try with String array or string values? Can you pls share me some samples for groupMembershipAttribute.

Thanks,

SD

SDusane · 26/03/2025

Hi All,

The issue is resolved when I tried to use String Array e.g. ["group1","group2"]

and I could see in SAML Assertion, the strings were pass a single value 2 times and it successfully added the user in both the groups like

"http://schemas.test.com/groups-name" : "group1"

"http://schemas.test.com/groups-name" : "group2"

Thank you all for your help.

Regards,

SD

Ver solução na publicação original

arunpatidar · 25/03/2025

HI @SDusane

It should be list type

Example : https://medium.com/@imrul001/comprehensive-guide-setting-up-saml-sso-between-keycloak-and-aem-0b134c...

Mapper for groups (Group List): Employed the Group List mapper type for mapping group information, with the full group path disabled for simplicity.

Arun Patidar

Mahedi_Sabuj · 25/03/2025

Hi @SDusane,

If multiple groups are not working as expected, you can create a new group and assign it as a member of both existing groups. In this way, any members added to the newly created group will inherit permissions and access from both original groups.

Mahedi Sabuj

narendiran_ravi · 25/03/2025

Hi @SDusane ,

You need to map the group attribute sent in the SAML response from your IDP in AEM SAML configuration. Refer this -https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/saml-sync-user-groups/m-p/...

For the below example response, GroupMembership should be added as a value for groupMembershipAttribute in AEM SAML config.

<!-- Group Memberships -->
            <saml:Attribute Name="GroupMembership">
                <saml:AttributeValue xsi:type="xs:string">aem-authors</saml:AttributeValue>
                <saml:AttributeValue xsi:type="xs:string">aem-editors</saml:AttributeValue>
                <saml:AttributeValue xsi:type="xs:string">aem-administrators</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>