Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

Closed User Group stopped working on a sudden

Avatar

Level 3

Hi,

We are using asset share commons and there are a few pages where we display restricted assets to a restricted group of people. We use CUG to achieve this. CUGs are applied in the folder and published. We have SAML authentication enabled and the below two properties are updated as mentioned. Everything has been working for the last 1.5 years and suddenly it stopped working last week even though we didn't change anything. So as a user who is a member of CUG, I'm still not able to see the CUG assets in the asset share commons page. Looks like the user is not getting added to the respective group in the publish instance, even if the property is marked as true. Any idea what should be happening in this case?

 "addGroupMemberships": true,
  "groupMembershipAttribute":
Topics

Topics help categorize Community content and increase your ability to discover relevant content.

1 Accepted Solution

Avatar

Correct answer by
Level 3

Hi @arunpatidar , We involved Adobe tier 3 support and understood the reason for this issue. We had a group with the same name (as of CUG) in the admin console as well. And because of the introduction of dynamic membership (introduced somewhere last December) in SAML handling, it was trying to add the user to the group that's in the IMS and not the CUG and was failing. So in short, you shouldn't have the same user group to use as CUG in the author and also in the admin console. I deleted the one from the admin console and then recreated the group in author, published and configured it as CUG. And the issue is fixed.

Thank you Arun for looking into this case.

Thanks,
Rahul

View solution in original post

5 Replies

Avatar

Community Advisor

Hi @RahulMohan 
Can you check the SAML Response using SAML Debugger plugin to check the group attribute?

Please check https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/aem-integration-with-azure... 



Arun Patidar

Avatar

Level 3

Hi @arunpatidar , The groups mapping is correct. Below is the attribute element from the SAML.
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"> <AttributeValue>High Level Pursuit Tax User</AttributeValue> </Attribute>

And below is how it's configured in our SAML authentication handler -
"groupMembershipAttribute":

"http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"

We have recreated the trust store 2 weeks back because of a security concern raised by Adobe. We just deleted the truststore entry and created it again using the same certificate from Azure AD. Alias name changed and I updated that in saml authentication handler config and replicated the trust store.

Thanks,
Rahul

Avatar

Level 3

Hi @arunpatidar , Just to add, SAML authentication is working fine. But the CUG logic is not. In our case, encryption is not enabled and hence I believe there is no need to create an authentication-service trust store. The below documentation mentions that - https://experienceleague.adobe.com/en/docs/experience-manager-learn/cloud-service/authentication/sam...

Moreover, it was working fine and suddenly it stopped.
By any chance, do you know if there is any changes happened in Adobe side for SAML handling?

Thanks,
Rahul

Avatar

Community Advisor

Hi @RahulMohan 
Could you please enable debug los for saml bundle and check the logs?



Arun Patidar

Avatar

Correct answer by
Level 3

Hi @arunpatidar , We involved Adobe tier 3 support and understood the reason for this issue. We had a group with the same name (as of CUG) in the admin console as well. And because of the introduction of dynamic membership (introduced somewhere last December) in SAML handling, it was trying to add the user to the group that's in the IMS and not the CUG and was failing. So in short, you shouldn't have the same user group to use as CUG in the author and also in the admin console. I deleted the one from the admin console and then recreated the group in author, published and configured it as CUG. And the issue is fixed.

Thank you Arun for looking into this case.

Thanks,
Rahul