Real Time Access Control.

Hi,

I think having changes applied after the session has expired was intentionally designed. Imagine you are working on something and suddenly get logged out because an admin updated your user's ACL. This could lead to a bad user experience. So, my recommendation would be to put in place a business process for these updates. Perhaps it's better to send an email with instructions that the user should log out to see the permission changes applied.

If you really want to force a user to log out from their session, you would need to implement something custom and manual to check if there is some sort of flag indicating that the session needs to be terminated. You could use something like a filter to achieve that, but again, I wouldn't recommend forcing a logout. Another alternative is to tune up the session lifetime and align it with something smaller. You can check something like this:

https://helpx.adobe.com/experience-manager/kb/login-session-refresh-not-working.html 

Hope this helps

Hi @randeep_virk ,

To ensure real-time access control in Adobe Experience Manager (AEM) based on changes in user groups retrieved from SAML authentication, you can implement a solution that periodically synchronizes user groups or actively invalidates user sessions when group memberships change. Here's how you can achieve this:

1. Periodic Synchronization:

   • Implement a scheduled job or a background process in AEM that periodically synchronizes user groups with the data retrieved from the SAML authentication source.
   • This synchronization process can compare the current user groups with the groups retrieved from SAML and update the user's group memberships accordingly in AEM.
   • By running this synchronization job at regular intervals (e.g., hourly or daily), you can ensure that any changes in group memberships are reflected in AEM without requiring users to log in again.

2. Session Invalidation:

   • Implement a mechanism to actively invalidate user sessions when group memberships change.
   • When a change in group memberships is detected during the synchronization process, invalidate the session for affected users programmatically.
   • This approach ensures that users are logged out immediately when their group memberships are updated, ensuring real-time access control.

3. Forceful Logout Workflow:

   • You can create a custom workflow in AEM that is triggered when group memberships change.
   • The workflow can identify users who are members of the groups that have been modified and force logout for those users.
   • This approach provides a more controlled way to handle user logout based on group changes, allowing you to define custom actions or notifications as needed.

4. Event-Driven Approach:

   • Utilize event-driven mechanisms in AEM to trigger actions when group membership changes occur.
   • Subscribe to events related to group modifications and implement event handlers to perform actions such as session invalidation or triggering a logout workflow for affected users.

5. Session Management Configuration:

   • Review and configure AEM's session management settings to ensure that sessions are not unnecessarily prolonged, which can delay the application of group membership changes.
   • Adjust session timeout settings to ensure sessions expire within a reasonable timeframe, allowing users to log in again and obtain updated group memberships.

By implementing one or more of these approaches, you can achieve real-time access control in AEM based on changes in user groups retrieved from SAML authentication, ensuring that users have the appropriate access to pages and content without delay. Choose the approach that best suits your requirements and infrastructure setup.

Randeep, Are you able to try any of the options? Can you post your findings?