Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

GroupMember is required or not for saml authentication handler

Avatar

Level 2

Hi ,

I am using the saml authentication handler to integrated with IDP(Identity Directory Provider) in AEM configuration console. When do the sync up with IDP, is the GroupMembership is required from IDP saml attribute? As I am considering this is may related to the user permissions after user authenticated by IDP successfully. if IDP doesn't provide the group attribute information, may I just use default group settings in AEM to make sure the user will be added to CRX group (contributor) and grant the necessary the permission to view the AEM resources? Because for now I am getting a HTTP 403 Error of AEM page after IDP authenticated, I think that would be AEM permission problem for this new sync user from IDP.

[img]AEMConsole.jpg[/img]

1 Accepted Solution

Avatar

Correct answer by
Level 10

Hi Wang Owen

With sp1 it is bug & is fixed in sp2. Please wait till sp2 release Or file daycare to get hotfix.

Thanks,

Sham

View solution in original post

3 Replies

Avatar

Level 1

Hi Sham and Wang Owen,

we are have successfully integrated our IDP with AEM 6.0 ( sp1)  through SAML authentication handler.

@Wang Owen: we have also faced the  403 error. once the user gets authenticated by  IDP our AEM is giving 403 error( please note that we are also not passing any group attribute in the SAML response).

 below are the  steps we have done to overcome this issue:

 1) In the "Apache Sling Referrer Filter"  in the "Allow hosts" option we have to  give the name of the host name in the format "www.<hostname>:<portno>".  

2)  verify the certificates that is being created and between AEM and IDP. make sure you  have create a node called private under /etc/key/saml and uploded the private key in pkcs#8 format.

passing group attribute in not mandatory, just uncheck "Add to Groups". user will be created in the AEM and assigned to the group "everyone".

 

Regards

Surya Raju

Avatar

Correct answer by
Level 10

Hi Wang Owen

With sp1 it is bug & is fixed in sp2. Please wait till sp2 release Or file daycare to get hotfix.

Thanks,

Sham

Avatar

Level 2

Hi Sham,

Thank you for your response.

Is it for the AEM 6.0 version right? Can we just use the default group attribute with existing crx user group in it and leave the groupmembership attribute blank? will that be workable?