Expand my Community achievements bar.

Radically easy to access on brand approved content for distribution and omnichannel performant delivery. AEM Assets Content Hub and Dynamic Media with OpenAPI capabilities is now GA.
SOLVED

Process user groups with custom logic post SAML authentication

Avatar

Level 2

Hi All,

 

I have scenario where I want to process and transform the user groups received in SAML response post authentication to the format that matches with AEM groups and assign the users to the groups. Our application is running on Cloud Service.

 

@component(name = "CustomAuthenticationInfoPostProcessor", service = AuthenticationInfoPostProcessor.class, immediate = true)
public class CustomAuthenticationInfoPostProcessor implements AuthenticationInfoPostProcessor {

public static final Logger LOG = LoggerFactory.getLogger(CustomAuthenticationInfoPostProcessor.class);

@reference
private SlingSettingsService slingSettingsService;

@reference
private ResourceResolverFactory resolverFactory;

private ResourceResolver resolver;

@Override
public void postProcess(AuthenticationInfo info, HttpServletRequest request, HttpServletResponse response) {
//HttpServletRequest httpRequest = null;

LOG.info("CustomAuthenticationInfoPostProcessor invoked");
LOG.info("HttpServletRequest data"+request.getAuthType()+","+request.getContextPath()+","+request.getHeaderNames().toString()+","+request.getRequestURL());

//httpRequest = request;

String requestURL = request.getRequestURL().toString();

Set<String> runModes = slingSettingsService.getRunModes();
LOG.info("runModes : "+runModes);

if (runModes.contains("publish") && requestURL.contains("custompath/saml_login")

) {
if (info != null) {
LOG.info("info not null ");
Map<String, Object> params = new HashMap<>();
params.put(ResourceResolverFactory.SUBSERVICE, "userManagerService");
LOG.info("params : "+params);

try {
LOG.debug("resolverFactory:"+resolverFactory);
resolver = resolverFactory.getServiceResourceResolver(params);
LOG.debug("resolver:"+resolver);
String userID = info.getUser();
LOG.info("userID : "+userID);

if (StringUtils.isNotEmpty(userID)) {
Session session = resolver.adaptTo(Session.class);
UserManager userManager = resolver.adaptTo(UserManager.class);
Authorizable user;
try {
user = userManager.getAuthorizable(userID);
if (user != null) {
LOG.info("user is available");

Set<String> userGroupsToAdd = getGroupsFromAttributes(user);
if (user != null && userGroupsToAdd != null) {
LOG.info("Syncing user groups: " + user.getID() + " " + userGroupsToAdd.toString());
}

Set<String> existingGroupNames = new HashSet<>();
Iterator<Authorizable> iter = userManager.findAuthorizables("jcr:primaryType","rep:Group");
while (iter.hasNext()) {
Authorizable authorizable = iter.next();
if (authorizable.getPath().startsWith("/home/groups/customerpath")) {
LOG.info("authorizable.getID().toLowerCase(): "+authorizable.getID().toLowerCase());

existingGroupNames.add(authorizable.getID().toLowerCase());
}
}

for (String existingGroupName : existingGroupNames) {
LOG.info("existingGroupName: "+existingGroupName);

if (userManager.getAuthorizable(existingGroupName) != null) {
if (userGroupsToAdd.contains(existingGroupName)) {
((Group) userManager.getAuthorizable(existingGroupName)).addMember(user);
} else {
((Group) userManager.getAuthorizable(existingGroupName)).removeMember(user);
}
}
}

session.save();

}
} catch (RepositoryException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}

}

} catch (LoginException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}

}

}

}

 

I dont see code getting executed after LOG.info("params : "+params); is there any auto terminate that will happen if certain condition is not met in the Authentication framework.

 

Can you suggest the best approach to solve this problem.

 

Thanks all in advance

1 Accepted Solution

Avatar

Correct answer by
Level 2

Looks like issue was with System user ACL . I had to set Principal and the ACLs worked correctly . Hope this post helps others with similar issue.

View solution in original post

4 Replies

Avatar

Community Advisor

@priya_cr May be the resource resolver created with "userManagerService" service user doesn't have access to read/write to /home/users and /home/groups path in repo. Please check the error log since the rest of code wrapped in try catch and fails.

Avatar

Level 2

Yes it was system user creation error which is solved and now facing a different issue. I see that the user synced through saml is not getting assigned to the groups.

Avatar

Correct answer by
Level 2

Looks like issue was with System user ACL . I had to set Principal and the ACLs worked correctly . Hope this post helps others with similar issue.