AEM SAML Authentication and Group assignation

I think it should support this scenario but not OOTB. OOTB would put the user in the same groups mentioned in the config manger configuration. Guess you need to have a LDAP and intervene in between to achieve this.

This is just a theory have not implemented by myself.

Thanks

Tuhin 

As Justin said, this is supported OOTB with proper configuration. You need to configure the SAML handler for adding user to groups and the parameter name which will contain groups in the assertion. You also need to have those groups pre-created in AEM

One strange behavior i have observed is if i am passing the groups from the SAML assertion for the user who is authenticated. if the User is already having another set of group in AEM instance those are getting overridden with SAML assertion groups. Is this the expected behavior. If this is the result always i will not be able to retain User specific group privileges with in the AEM instance.?

Yes. that's the expected behavior. You can have some default groups to which all users will be added to when they land in AEM.

kk krish wrote...

Yes, Default group assignation is ok. But overriding the existing user assigned groups is a little weird.

Any how i have one more curious question that how can we configure more than one Group Membership names in AEM, if my SAML assertion is capable sending multiple parameter names with respective groups?

 

This is not weird. Your IDP is responsible for the user's profile (which includes user groups among other things). With this configuration you make the IDP as the central system of record. You should not change the profile within AEM. If you want more permissions for some users, create another group in IDP and add permissions to that group in AEM. 

For the second part, can you provide your assertion sample ?

Yes, Default group assignation is ok. But overriding the existing user assigned groups is a little weird.

Any how i have one more curious question that how can we configure more than one Group Membership names in AEM, if my SAML assertion is capable sending multiple parameter names with respective groups?

kk krish wrote...

Yes, Default group assignation is ok. But overriding the existing user assigned groups is a little weird.

Any how i have one more curious question that how can we configure more than one Group Membership names in AEM, if my SAML assertion is capable sending multiple parameter names with respective groups?

 

right now i don't have a saml assertion with multiple parameter names in hand. was just curious about that if it is possible how to handle the same in AEM instance. because in AEM SAML authentication Handler looks like only one entry for "Group Membership".

Also observed that if the user is belonging to administrators group and SAML authentication login is going to infinite loop. and the saml loggers as below.

" at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.commit(SessionDelegate.java:313) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:459) ... 75 common frames omitted 21.04.2016 16:56:02.624 *WARN* [qtp311822445-321] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request. 21.04.2016 16:56:03.313 *ERROR* [qtp311822445-319] com.adobe.granite.auth.saml.SamlAuthenticationHandler User synchronization failed: Could not access repository. javax.jcr.AccessDeniedException: OakAccess0000: Access denied at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231) at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:594) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:461) at org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.perform(SessionImpl.java:435)"

Because that's the standard where same attribute shouldn't come under two different attribute names. If your SAML provider is not following the standard, you shouldn't expect AEM or any other product to handle that.

If you want to make a user admin along with SAML SSO, I will suggest to create a custom group in your IDP. And make that group as a member of OOTB administrators group. 

You should read more about user privileges at [1].

[1] https://docs.adobe.com/docs/en/aem/6-2/administer/security/security.html