We are trying to implement Authentication usin OOTB SAML Handler to one of our application. We see an option to auto create users and assign them to default aem user groups. Our requirement is that there are two types of users 1. Dealer Admin and 2. Dealer user. I could not understand how we can differentiate between these two users after successful login using same SAML configuration.
Also out of the below two approaches on user, user group creation and assigning permissions which one is preferable
1. Auto Create users and assign them to user group created manually
2. Create users, user groups and manage permissions manually. With respect to this, does AEM expose any API which can be invoked by IDP or AD to create users and user groups.
AEM SAML Authentiication Handler create users automatically and there is no control over user creation.
But if I understand your requirment correctly, you want to allocate groups to each user on some SAML attributes values of the user, if that is correct, you should mention these attributes in "Syncronized attributes" fields like "employeetype=profile/employeetype" where employeetype is SAML assertion attribute value and it will be added as employeetype property in profile node under created user.
Now, You can create a workflow which starts on creation of user node and then assign a proper group to user depending upon users profile properties. The groups can then be used to manage permissions. Even your assignment of group is not dependent on SAML assetion values, you can still achieve group allocation using workflow.