Adobe Experience Manager Sites & More

srikanthp689160 · 7/16/20

Hi,

We are trying to implement Authentication usin OOTB SAML Handler to one of our application. We see an option to auto create users and assign them to default aem user groups. Our requirement is that there are two types of users 1. Dealer Admin and 2. Dealer user. I could not understand how we can differentiate between these two users after successful login using same SAML configuration.

Also out of the below two approaches on user, user group creation and assigning permissions which one is preferable

1. Auto Create users and assign them to user group created manually

2. Create users, user groups and manage permissions manually. With respect to this, does AEM expose any API which can be invoked by IDP or AD to create users and user groups.

Any suggestions on this would be very helpful.

Nupur_Jain · 7/16/20

Hi @srikanthp689160

AEM SAML Authentiication Handler create users automatically and there is no control over user creation.

But if I understand your requirment correctly, you want to allocate groups to each user on some SAML attributes values of the user, if that is correct, you should mention these attributes in "Syncronized attributes" fields like "employeetype=profile/employeetype" where employeetype is SAML assertion attribute value and it will be added as employeetype property in profile node under created user.

Now, You can create a workflow which starts on creation of user node and then assign a proper group to user depending upon users profile properties. The groups can then be used to manage permissions. Even your assignment of group is not dependent on SAML assetion values, you can still achieve group allocation using workflow.

Hope it helps!

Thanks,

Nupur

View solution in original post

Nupur_Jain · 7/16/20

Hi @srikanthp689160

AEM SAML Authentiication Handler create users automatically and there is no control over user creation.

But if I understand your requirment correctly, you want to allocate groups to each user on some SAML attributes values of the user, if that is correct, you should mention these attributes in "Syncronized attributes" fields like "employeetype=profile/employeetype" where employeetype is SAML assertion attribute value and it will be added as employeetype property in profile node under created user.

Now, You can create a workflow which starts on creation of user node and then assign a proper group to user depending upon users profile properties. The groups can then be used to manage permissions. Even your assignment of group is not dependent on SAML assetion values, you can still achieve group allocation using workflow.

Hope it helps!

Thanks,

Nupur

srikanthp689160 · 7/16/20

Hi nupurjain, Thanks for the information, will try this out. Is there a OOTB way of assigning users to different groups after login?

aemmarc · 7/16/20

The SAML response from whatever Idp you're integrating with should set what groups the user is to be added to.

The default group is just a group that you may want all users to belong to. Having a default group set is subjective to whatever the requirements are. It may not be necessary.

NOTE -- the groups must pre-exist in AEM, AEM won't automatically create the group if it doesn't exist.

It will create the users, but not the group.

srikanthp689160 · 7/16/20

Hi aemmarc, I did not understand what exactly you meant by this statement "The SAML response from whatever Idp you're integrating with should set what groups the user is to be added to. "

Do you mean, if SAML response contains aem user group name, after successful authentication will the user be mapped to that aem user group automatically? If yes, can you please provide more details on this.

If no, as nupurjain mentioned we might have to implement workflow or SAMLPostProcessor to assign user to a group after successful login.

Please correct if the above understanding is worng.

ChitraMadan · 7/16/20

Hi @srikanthp689160 ,

If you have 2 groups in your IDP - Dealer Admin and Dealer User - make sure you create the same user groups in AEM manually and assign them required permissions.

The name of the user groups in AEM and in your IDP should match.

And in your SAML Authentication Handler - "Add to Groups" should be enabled by default.

So now when your user is created in AEM it is added to the created group in the AEM (Dealer Admin/Dealer User), based on which group does that user belong to in the IDP.

srikanthp689160 · 7/17/20

Hi @ChitraMadan, do you mean that by making sure crx group name and group name in IDP is exactly same and just enable Add to Groups checkbox and providing Group Memebership with respective SAML attribute, user will be added to that particular group? I will try this out

Screenshot for reference

ChitraMadan · 7/17/20

Hi @srikanthp689160 , Yes, try that.

ChitraMadan · 7/17/20

Hi @srikanthp689160 , Also create a logger, it will be really helpful.

Configure a Logger for SAML

You can set up a Logger in order to debug any issues that might arise from misconfiguring SAML. You can do this by: Going to the Web Console, at http://localhost:4502/system/console/configMgr Search for and click on the entry called Apache Sling Logging Logger Configuration

Create a logger with the following configuration:

Log Level: Debug Log

File: logs/saml.log

Logger: com.adobe.granite.auth.saml

ChitraMadan · 7/20/20

Hi @srikanthp689160, did this work for you?

srikanthp689160 · 7/26/20

Hi @ChitraMadan, IDP was not ready to send aem user group name in SAML response so we could not go ahead and try this. We might have to try the approach suggested by @Nupur_Jain where we need to implement custom workflow to add user to a group after successful login

srikanthp689160 · 10/9/20

Hi @ChitraMadan,

I have one question on Default Groups configuration in SAML Authentication Handler. From documentation I understand that if Autocreate CRX Users is checked, Group Membership and is configured with name of attribute in SAML response, user would be added to respective groups after user creation. On subsequent login attempts if the value in SAML response against Group Membership changes, will the user be removed from earlier group? For example, user1 is logging for the first time and SAML response contains Group Membership as group1, after successful login, user is added to group1. As part of Business requirement, if user needs to be mapped to a different crx user group group2 and remove from earlier group(group2) then how should SAML response of Group Membership attribute look like? Just group2 would do? Will this take care of removing user from group1? Is there a way we can test this scenario? Could not think of a way since we do not have access to IDP configuration. Any inputs on open source IDP where we can configure SAML response attributes would be highly helpful.

Adobe Experience Manager Sites & More

AEM User/Group Creation API

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe