Expand my Community achievements bar.

How to autosync an external Group into Existing repository group - SSO related ?

Avatar

Level 2
Level 2
6/25/24 1:24:37 AM

Hello,

I am trying to implement SAML 2.0 SSO in Author Environment and I want to define an external group early in the Author environment along with Permission, so that when users login via SSO, their AD group already exists in repository and they can start accessing different pages, as soon as they login. However, as users login via SSO, I find that the External groups are not getting sync-up into their profile in AEM, due to the following error :

 

org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext Existing authorizable '<group-name>' is not a group from this IDP '<IDP-name>'.

Kindly advice, if this idea is feasible ? or Permission for an external group should be only defined, after its created in repository after first user's login ? 

 

If not, kindly advise on how can I resolve this scenario, so that user's external groups already exist in repository along with necessary Group permissions ?

Thanks,

Prasanth 

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

Experience Manager

Views

324

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
2 Replies

Avatar

Community Advisor
Community Advisor
6/25/24 2:14:45 AM

Hi @PrasanthAnandharaj 
Can you check if you already have group setup in AEM? you may need to create groups in-front in AEM, so that SAML group can be synced.



Arun Patidar

Views

316

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
6/25/24 9:01:52 PM
In response to arunpatidar

Hi @arunpatidar , Thanks for the reply !
Yes, I noticed that the AD group is created in AEM in the format of <AD-group-name;idpIdentifier> when a SSO user login. So I wiped out the user and created group from AEM repository and created the AEM group in the mentioned format, followed by assigning permissions to it. 

Unfortunately, this time when the SSO user login, the AD group is not a part of this user's group-membership in AEM and there are logs as below : 

org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext Existing authorizable '<group-name>' is not a group from this IDP '<IDP-name>'.

 Kindly advice, if there are any issues with the AEM group naming convention.

Ex : 
AD group :   content-authors

idpIdentified [in saml config] : abc

Group-id created on AEM : content-authors;abc

Views

257

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Unable to find users , user roles , company information through Mangento Rest API in postman

Views

171

Likes

0

Replies

2
Adobe Developers Live, November 2024, Session | Bringing AI and Personalization to AEM Edge Delivery Services

Views

245

Likes

0

Replies

0
Adobe Developers Live, November 2024, Session | A Real-World Journey to Edge Delivery Services

Views

151

Likes

0

Replies

0
Adobe Developers Live, November 2024, Session | How AEM Sites Leverages GenAI

Views

259

Like

1

Replies

3
Adobe Developers Live, November 2024, Session | UI Extensibility - Magic Buttons and how to build them.

Views

154

Likes

0

Replies

0