Expand my Community achievements bar.

SOLVED

AEM SAML Authentication and Group assignation

Avatar

Level 5

 Will AEM support one to one  groups assignation after the User login from SAML, Attached the below image for the Use case that i am looking for.

1 Accepted Solution

Avatar

Correct answer by
Employee

Yes, groups contained in the SAML assertion can be assigned to a user when the assertion is received if the SAML Authentication Handler is configured properly. See http://adobe.ly/1XJsIkQ.

View solution in original post

13 Replies

Avatar

Level 7

I think it should support this scenario but not OOTB. OOTB would put the user in the same groups mentioned in the config manger configuration. Guess you need to have a LDAP and intervene in between to achieve this.

This is just a theory have not implemented by myself.

Thanks

Tuhin 

Avatar

Correct answer by
Employee

Yes, groups contained in the SAML assertion can be assigned to a user when the assertion is received if the SAML Authentication Handler is configured properly. See http://adobe.ly/1XJsIkQ.

Avatar

Level 3

As Justin said, this is supported OOTB with proper configuration. You need to configure the SAML handler for adding user to groups and the parameter name which will contain groups in the assertion. You also need to have those groups pre-created in AEM

Avatar

Level 5

One strange behavior i have observed is if i am passing the groups from the SAML assertion for the user who is authenticated. if the User is already having another set of group in AEM instance those are getting overridden with SAML assertion groups. Is this the expected behavior. If this is the result always i will not be able to retain User specific group privileges with in the AEM instance.?

Avatar

Level 3

Yes. that's the expected behavior. You can have some default groups to which all users will be added to when they land in AEM.

Avatar

Level 3

kk krish wrote...

Yes, Default group assignation is ok. But overriding the existing user assigned groups is a little weird.

Any how i have one more curious question that how can we configure more than one Group Membership names in AEM, if my SAML assertion is capable sending multiple parameter names with respective groups?

 

This is not weird. Your IDP is responsible for the user's profile (which includes user groups among other things). With this configuration you make the IDP as the central system of record. You should not change the profile within AEM. If you want more permissions for some users, create another group in IDP and add permissions to that group in AEM. 

For the second part, can you provide your assertion sample ?

Avatar

Level 5

Yes, Default group assignation is ok. But overriding the existing user assigned groups is a little weird.

Any how i have one more curious question that how can we configure more than one Group Membership names in AEM, if my SAML assertion is capable sending multiple parameter names with respective groups?

Avatar

Level 5

kk krish wrote...

Yes, Default group assignation is ok. But overriding the existing user assigned groups is a little weird.

Any how i have one more curious question that how can we configure more than one Group Membership names in AEM, if my SAML assertion is capable sending multiple parameter names with respective groups?

 

right now i don't have a saml assertion with multiple parameter names in hand. was just curious about that if it is possible how to handle the same in AEM instance. because in AEM SAML authentication Handler looks like only one entry for "Group Membership".

Avatar

Level 5

Also observed that if the user is belonging to administrators group and SAML authentication login is going to infinite loop. and the saml loggers as below.

" at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.commit(SessionDelegate.java:313) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:459) ... 75 common frames omitted 21.04.2016 16:56:02.624 *WARN* [qtp311822445-321] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request. 21.04.2016 16:56:03.313 *ERROR* [qtp311822445-319] com.adobe.granite.auth.saml.SamlAuthenticationHandler User synchronization failed: Could not access repository. javax.jcr.AccessDeniedException: OakAccess0000: Access denied at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231) at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:594) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:461) at org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.perform(SessionImpl.java:435)"

Avatar

Level 3

Because that's the standard where same attribute shouldn't come under two different attribute names. If your SAML provider is not following the standard, you shouldn't expect AEM or any other product to handle that.

If you want to make a user admin along with SAML SSO, I will suggest to create a custom group in your IDP. And make that group as a member of OOTB administrators group. 

You should read more about user privileges at [1].

[1] https://docs.adobe.com/docs/en/aem/6-2/administer/security/security.html

Avatar

Level 7

Is it not solved yet?

Thanks

Tuhin

Avatar

Level 5

Thanks All,

Am able to assign groups which are in the SAML assertion and from AEM i am not using any default groups.

Avatar

Level 2
Hi , how did you solve this issue, in my case user is getting created properly but groups are not getting assigned correctly.