Expand my Community achievements bar.

How to autosync an external Group into Existing repository group - SSO related ?

Avatar

Level 2
Level 2
6/25/24 1:24:37 AM

Hello,

I am trying to implement SAML 2.0 SSO in Author Environment and I want to define an external group early in the Author environment along with Permission, so that when users login via SSO, their AD group already exists in repository and they can start accessing different pages, as soon as they login. However, as users login via SSO, I find that the External groups are not getting sync-up into their profile in AEM, due to the following error :

 

org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext Existing authorizable '<group-name>' is not a group from this IDP '<IDP-name>'.

Kindly advice, if this idea is feasible ? or Permission for an external group should be only defined, after its created in repository after first user's login ? 

 

If not, kindly advise on how can I resolve this scenario, so that user's external groups already exist in repository along with necessary Group permissions ?

Thanks,

Prasanth 

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

Experience Manager

Views

105

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
2 Replies

Avatar

Community Advisor
Community Advisor
6/25/24 2:14:45 AM

Hi @PrasanthAnandharaj 
Can you check if you already have group setup in AEM? you may need to create groups in-front in AEM, so that SAML group can be synced.



Arun Patidar

Views

97

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
6/25/24 9:01:52 PM
In response to arunpatidar

Hi @arunpatidar , Thanks for the reply !
Yes, I noticed that the AD group is created in AEM in the format of <AD-group-name;idpIdentifier> when a SSO user login. So I wiped out the user and created group from AEM repository and created the AEM group in the mentioned format, followed by assigning permissions to it. 

Unfortunately, this time when the SSO user login, the AD group is not a part of this user's group-membership in AEM and there are logs as below : 

org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext Existing authorizable '<group-name>' is not a group from this IDP '<IDP-name>'.

 Kindly advice, if there are any issues with the AEM group naming convention.

Ex : 
AD group :   content-authors

idpIdentified [in saml config] : abc

Group-id created on AEM : content-authors;abc

Views

38

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
How to access clientlibs in ui.apps from other js file in ui.frontend Solved

Views

119

Likes

0

Replies

3
how to handle docstate metadata property

Views

110

Likes

0

Replies

4
How to search the assets by using the ID in the Asset Property Advance Tab

Views

98

Likes

0

Replies

1
JWT projects in Developer Console into oAuth server to server credential

Views

65

Likes

0

Replies

1
Adobe Adobe IMS Configurations page existing configurations

Views

58

Likes

0

Replies

1