AEM SAML Authentication and Group assignation

Accepted Solutions (1)

Accepted Solutions (1)

justin_at_adobe

Employee

20-04-2016

Yes, groups contained in the SAML assertion can be assigned to a user when the assertion is received if the SAML Authentication Handler is configured properly. See http://adobe.ly/1XJsIkQ.

Answers (11)

Answers (11)

Kkkrish

27-04-2016

Thanks All,

Am able to assign groups which are in the SAML assertion and from AEM i am not using any default groups.

abhishekb

21-04-2016

Because that's the standard where same attribute shouldn't come under two different attribute names. If your SAML provider is not following the standard, you shouldn't expect AEM or any other product to handle that.

If you want to make a user admin along with SAML SSO, I will suggest to create a custom group in your IDP. And make that group as a member of OOTB administrators group. 

You should read more about user privileges at [1].

[1] https://docs.adobe.com/docs/en/aem/6-2/administer/security/security.html

Kkkrish

21-04-2016

Also observed that if the user is belonging to administrators group and SAML authentication login is going to infinite loop. and the saml loggers as below.

" at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.commit(SessionDelegate.java:313) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:459) ... 75 common frames omitted 21.04.2016 16:56:02.624 *WARN* [qtp311822445-321] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request. 21.04.2016 16:56:03.313 *ERROR* [qtp311822445-319] com.adobe.granite.auth.saml.SamlAuthenticationHandler User synchronization failed: Could not access repository. javax.jcr.AccessDeniedException: OakAccess0000: Access denied at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231) at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:594) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:461) at org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.perform(SessionImpl.java:435)"

Kkkrish

21-04-2016

kk krish wrote...

Yes, Default group assignation is ok. But overriding the existing user assigned groups is a little weird.

Any how i have one more curious question that how can we configure more than one Group Membership names in AEM, if my SAML assertion is capable sending multiple parameter names with respective groups?

 

right now i don't have a saml assertion with multiple parameter names in hand. was just curious about that if it is possible how to handle the same in AEM instance. because in AEM SAML authentication Handler looks like only one entry for "Group Membership".

Kkkrish

21-04-2016

Yes, Default group assignation is ok. But overriding the existing user assigned groups is a little weird.

Any how i have one more curious question that how can we configure more than one Group Membership names in AEM, if my SAML assertion is capable sending multiple parameter names with respective groups?

abhishekb

21-04-2016

kk krish wrote...

Yes, Default group assignation is ok. But overriding the existing user assigned groups is a little weird.

Any how i have one more curious question that how can we configure more than one Group Membership names in AEM, if my SAML assertion is capable sending multiple parameter names with respective groups?

 

This is not weird. Your IDP is responsible for the user's profile (which includes user groups among other things). With this configuration you make the IDP as the central system of record. You should not change the profile within AEM. If you want more permissions for some users, create another group in IDP and add permissions to that group in AEM. 

For the second part, can you provide your assertion sample ?

Kkkrish

21-04-2016

One strange behavior i have observed is if i am passing the groups from the SAML assertion for the user who is authenticated. if the User is already having another set of group in AEM instance those are getting overridden with SAML assertion groups. Is this the expected behavior. If this is the result always i will not be able to retain User specific group privileges with in the AEM instance.?

abhishekb

20-04-2016

As Justin said, this is supported OOTB with proper configuration. You need to configure the SAML handler for adding user to groups and the parameter name which will contain groups in the assertion. You also need to have those groups pre-created in AEM

Tuhin_Ghosh

20-04-2016

I think it should support this scenario but not OOTB. OOTB would put the user in the same groups mentioned in the config manger configuration. Guess you need to have a LDAP and intervene in between to achieve this.

This is just a theory have not implemented by myself.

Thanks

Tuhin