Hi,
We are using asset share commons and there are a few pages where we display restricted assets to a restricted group of people. We use CUG to achieve this. CUGs are applied in the folder and published. We have SAML authentication enabled and the below two properties are updated as mentioned. Everything has been working for the last 1.5 years and suddenly it stopped working last week even though we didn't change anything. So as a user who is a member of CUG, I'm still not able to see the CUG assets in the asset share commons page. Looks like the user is not getting added to the respective group in the publish instance, even if the property is marked as true. Any idea what should be happening in this case?
Solved! Go to Solution.
Topics help categorize Community content and increase your ability to discover relevant content.
Views
Replies
Total Likes
Hi @arunpatidar , We involved Adobe tier 3 support and understood the reason for this issue. We had a group with the same name (as of CUG) in the admin console as well. And because of the introduction of dynamic membership (introduced somewhere last December) in SAML handling, it was trying to add the user to the group that's in the IMS and not the CUG and was failing. So in short, you shouldn't have the same user group to use as CUG in the author and also in the admin console. I deleted the one from the admin console and then recreated the group in author, published and configured it as CUG. And the issue is fixed.
Thank you Arun for looking into this case.
Thanks,
Rahul
Hi @RahulMohan
Can you check the SAML Response using SAML Debugger plugin to check the group attribute?
Please check https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/aem-integration-with-azure...
Hi @arunpatidar , The groups mapping is correct. Below is the attribute element from the SAML.
<Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"> <AttributeValue>High Level Pursuit Tax User</AttributeValue> </Attribute>
And below is how it's configured in our SAML authentication handler -
"groupMembershipAttribute":
Hi @arunpatidar , Just to add, SAML authentication is working fine. But the CUG logic is not. In our case, encryption is not enabled and hence I believe there is no need to create an authentication-service trust store. The below documentation mentions that - https://experienceleague.adobe.com/en/docs/experience-manager-learn/cloud-service/authentication/sam...
Moreover, it was working fine and suddenly it stopped.
By any chance, do you know if there is any changes happened in Adobe side for SAML handling?
Thanks,
Rahul
Hi @RahulMohan
Could you please enable debug los for saml bundle and check the logs?
Hi @arunpatidar , We involved Adobe tier 3 support and understood the reason for this issue. We had a group with the same name (as of CUG) in the admin console as well. And because of the introduction of dynamic membership (introduced somewhere last December) in SAML handling, it was trying to add the user to the group that's in the IMS and not the CUG and was failing. So in short, you shouldn't have the same user group to use as CUG in the author and also in the admin console. I deleted the one from the admin console and then recreated the group in author, published and configured it as CUG. And the issue is fixed.
Thank you Arun for looking into this case.
Thanks,
Rahul
Views
Likes
Replies
Views
Likes
Replies