Hi ,
I am using the saml authentication handler to integrated with IDP(Identity Directory Provider) in AEM configuration console. When do the sync up with IDP, is the GroupMembership is required from IDP saml attribute? As I am considering this is may related to the user permissions after user authenticated by IDP successfully. if IDP doesn't provide the group attribute information, may I just use default group settings in AEM to make sure the user will be added to CRX group (contributor) and grant the necessary the permission to view the AEM resources? Because for now I am getting a HTTP 403 Error of AEM page after IDP authenticated, I think that would be AEM permission problem for this new sync user from IDP.
[img]AEMConsole.jpg[/img]
Solved! Go to Solution.
Views
Replies
Total Likes
Hi Wang Owen
With sp1 it is bug & is fixed in sp2. Please wait till sp2 release Or file daycare to get hotfix.
Thanks,
Sham
Views
Replies
Total Likes
Hi Sham and Wang Owen,
we are have successfully integrated our IDP with AEM 6.0 ( sp1) through SAML authentication handler.
@Wang Owen: we have also faced the 403 error. once the user gets authenticated by IDP our AEM is giving 403 error( please note that we are also not passing any group attribute in the SAML response).
below are the steps we have done to overcome this issue:
1) In the "Apache Sling Referrer Filter" in the "Allow hosts" option we have to give the name of the host name in the format "www.<hostname>:<portno>".
2) verify the certificates that is being created and between AEM and IDP. make sure you have create a node called private under /etc/key/saml and uploded the private key in pkcs#8 format.
passing group attribute in not mandatory, just uncheck "Add to Groups". user will be created in the AEM and assigned to the group "everyone".
Regards
Surya Raju
Views
Replies
Total Likes
Hi Wang Owen
With sp1 it is bug & is fixed in sp2. Please wait till sp2 release Or file daycare to get hotfix.
Thanks,
Sham
Views
Replies
Total Likes
Hi Sham,
Thank you for your response.
Is it for the AEM 6.0 version right? Can we just use the default group attribute with existing crx user group in it and leave the groupmembership attribute blank? will that be workable?
Views
Replies
Total Likes
Views
Like
Replies