Will AEM support one to one groups assignation after the User login from SAML, Attached the below image for the Use case that i am looking for.
Solved! Go to Solution.
Views
Replies
Total Likes
Yes, groups contained in the SAML assertion can be assigned to a user when the assertion is received if the SAML Authentication Handler is configured properly. See http://adobe.ly/1XJsIkQ.
Views
Replies
Total Likes
I think it should support this scenario but not OOTB. OOTB would put the user in the same groups mentioned in the config manger configuration. Guess you need to have a LDAP and intervene in between to achieve this.
This is just a theory have not implemented by myself.
Thanks
Tuhin
Views
Replies
Total Likes
Yes, groups contained in the SAML assertion can be assigned to a user when the assertion is received if the SAML Authentication Handler is configured properly. See http://adobe.ly/1XJsIkQ.
Views
Replies
Total Likes
As Justin said, this is supported OOTB with proper configuration. You need to configure the SAML handler for adding user to groups and the parameter name which will contain groups in the assertion. You also need to have those groups pre-created in AEM
Views
Replies
Total Likes
One strange behavior i have observed is if i am passing the groups from the SAML assertion for the user who is authenticated. if the User is already having another set of group in AEM instance those are getting overridden with SAML assertion groups. Is this the expected behavior. If this is the result always i will not be able to retain User specific group privileges with in the AEM instance.?
Views
Replies
Total Likes
Yes. that's the expected behavior. You can have some default groups to which all users will be added to when they land in AEM.
Views
Replies
Total Likes
kk krish wrote...
Yes, Default group assignation is ok. But overriding the existing user assigned groups is a little weird.
Any how i have one more curious question that how can we configure more than one Group Membership names in AEM, if my SAML assertion is capable sending multiple parameter names with respective groups?
This is not weird. Your IDP is responsible for the user's profile (which includes user groups among other things). With this configuration you make the IDP as the central system of record. You should not change the profile within AEM. If you want more permissions for some users, create another group in IDP and add permissions to that group in AEM.
For the second part, can you provide your assertion sample ?
Views
Replies
Total Likes
Yes, Default group assignation is ok. But overriding the existing user assigned groups is a little weird.
Any how i have one more curious question that how can we configure more than one Group Membership names in AEM, if my SAML assertion is capable sending multiple parameter names with respective groups?
Views
Replies
Total Likes
kk krish wrote...
Yes, Default group assignation is ok. But overriding the existing user assigned groups is a little weird.
Any how i have one more curious question that how can we configure more than one Group Membership names in AEM, if my SAML assertion is capable sending multiple parameter names with respective groups?
right now i don't have a saml assertion with multiple parameter names in hand. was just curious about that if it is possible how to handle the same in AEM instance. because in AEM SAML authentication Handler looks like only one entry for "Group Membership".
Views
Replies
Total Likes
Also observed that if the user is belonging to administrators group and SAML authentication login is going to infinite loop. and the saml loggers as below.
" at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.commit(SessionDelegate.java:313) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:459) ... 75 common frames omitted 21.04.2016 16:56:02.624 *WARN* [qtp311822445-321] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request. 21.04.2016 16:56:03.313 *ERROR* [qtp311822445-319] com.adobe.granite.auth.saml.SamlAuthenticationHandler User synchronization failed: Could not access repository. javax.jcr.AccessDeniedException: OakAccess0000: Access denied at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231) at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:594) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:461) at org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.perform(SessionImpl.java:435)"
Views
Replies
Total Likes
Because that's the standard where same attribute shouldn't come under two different attribute names. If your SAML provider is not following the standard, you shouldn't expect AEM or any other product to handle that.
If you want to make a user admin along with SAML SSO, I will suggest to create a custom group in your IDP. And make that group as a member of OOTB administrators group.
You should read more about user privileges at [1].
[1] https://docs.adobe.com/docs/en/aem/6-2/administer/security/security.html
Views
Replies
Total Likes
Is it not solved yet?
Thanks
Tuhin
Views
Replies
Total Likes
Thanks All,
Am able to assign groups which are in the SAML assertion and from AEM i am not using any default groups.
Views
Replies
Total Likes
Views
Replies
Total Likes