Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

SOLVED

AEM SAML Authentication and Group assignation

Kkkrish
Level 5
Level 5

 Will AEM support one to one  groups assignation after the User login from SAML, Attached the below image for the Use case that i am looking for.

1 Accepted Solution
justin_at_adobe
Correct answer by
Employee
Employee

Yes, groups contained in the SAML assertion can be assigned to a user when the assertion is received if the SAML Authentication Handler is configured properly. See http://adobe.ly/1XJsIkQ.

View solution in original post

13 Replies
Tuhin_Ghosh
Level 7
Level 7

I think it should support this scenario but not OOTB. OOTB would put the user in the same groups mentioned in the config manger configuration. Guess you need to have a LDAP and intervene in between to achieve this.

This is just a theory have not implemented by myself.

Thanks

Tuhin 

justin_at_adobe
Correct answer by
Employee
Employee

Yes, groups contained in the SAML assertion can be assigned to a user when the assertion is received if the SAML Authentication Handler is configured properly. See http://adobe.ly/1XJsIkQ.

View solution in original post

abhishekb
Level 3
Level 3

As Justin said, this is supported OOTB with proper configuration. You need to configure the SAML handler for adding user to groups and the parameter name which will contain groups in the assertion. You also need to have those groups pre-created in AEM

Kkkrish
Level 5
Level 5

One strange behavior i have observed is if i am passing the groups from the SAML assertion for the user who is authenticated. if the User is already having another set of group in AEM instance those are getting overridden with SAML assertion groups. Is this the expected behavior. If this is the result always i will not be able to retain User specific group privileges with in the AEM instance.?

abhishekb
Level 3
Level 3

Yes. that's the expected behavior. You can have some default groups to which all users will be added to when they land in AEM.

abhishekb
Level 3
Level 3

kk krish wrote...

Yes, Default group assignation is ok. But overriding the existing user assigned groups is a little weird.

Any how i have one more curious question that how can we configure more than one Group Membership names in AEM, if my SAML assertion is capable sending multiple parameter names with respective groups?

 

This is not weird. Your IDP is responsible for the user's profile (which includes user groups among other things). With this configuration you make the IDP as the central system of record. You should not change the profile within AEM. If you want more permissions for some users, create another group in IDP and add permissions to that group in AEM. 

For the second part, can you provide your assertion sample ?

Kkkrish
Level 5
Level 5

Yes, Default group assignation is ok. But overriding the existing user assigned groups is a little weird.

Any how i have one more curious question that how can we configure more than one Group Membership names in AEM, if my SAML assertion is capable sending multiple parameter names with respective groups?

Kkkrish
Level 5
Level 5

kk krish wrote...

Yes, Default group assignation is ok. But overriding the existing user assigned groups is a little weird.

Any how i have one more curious question that how can we configure more than one Group Membership names in AEM, if my SAML assertion is capable sending multiple parameter names with respective groups?

 

right now i don't have a saml assertion with multiple parameter names in hand. was just curious about that if it is possible how to handle the same in AEM instance. because in AEM SAML authentication Handler looks like only one entry for "Group Membership".

Kkkrish
Level 5
Level 5

Also observed that if the user is belonging to administrators group and SAML authentication login is going to infinite loop. and the saml loggers as below.

" at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.commit(SessionDelegate.java:313) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:459) ... 75 common frames omitted 21.04.2016 16:56:02.624 *WARN* [qtp311822445-321] com.adobe.granite.auth.saml.SamlAuthenticationHandler Private key of SP not provided: Cannot sign Authn request. 21.04.2016 16:56:03.313 *ERROR* [qtp311822445-319] com.adobe.granite.auth.saml.SamlAuthenticationHandler User synchronization failed: Could not access repository. javax.jcr.AccessDeniedException: OakAccess0000: Access denied at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:231) at org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:212) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:594) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:461) at org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.perform(SessionImpl.java:435)"
abhishekb
Level 3
Level 3

Because that's the standard where same attribute shouldn't come under two different attribute names. If your SAML provider is not following the standard, you shouldn't expect AEM or any other product to handle that.

If you want to make a user admin along with SAML SSO, I will suggest to create a custom group in your IDP. And make that group as a member of OOTB administrators group. 

You should read more about user privileges at [1].

[1] https://docs.adobe.com/docs/en/aem/6-2/administer/security/security.html

Kkkrish
Level 5
Level 5

Thanks All,

Am able to assign groups which are in the SAML assertion and from AEM i am not using any default groups.

SAMIKSHAJAIN
Level 2
Level 2
Hi , how did you solve this issue, in my case user is getting created properly but groups are not getting assigned correctly.