Expand my Community achievements bar.

Applications for the 2024-2025 Adobe Experience Manager Champion Program are open!
Apply Here Now
SOLVED

Real Time Access Control.

Avatar

Level 2
Level 2
4/30/24 4:17:46 AM

We have SAML authentication which also provide us user related groups which we save in AEM and maintain a session.
On the basis of these groups we give page access.
As we maintain a session if we add/update/delete groups in user's account the changes do not reflect until the session expires and user's logs in again.
Is there any way to make this real time or we do we have any OOTB workflow using which we can forcefully logout users.
Or any other recommended way ?

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

Experience Manager Workflow

Views

112

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 4
Level 4
4/30/24 12:35:42 PM
SAML 2.0 Authentication Handler is designed to handle user sessions and group memberships.
However, it does not provide an out-of-the-box (OOTB) solution for real-time group membership updates during an active session.
Typically, changes to a user’s group memberships are reflected only after the user logs out and logs back in, as the SAML assertion that contains the group information is processed at login.
 
I second EstebanBustamante opinion on how this might be a bad user experience. 
 
  • You can adjust the session timeout settings to have shorter sessions. This would prompt users to log in more frequently, thus updating their group memberships more often.
  • You can also implement a custom solution that listens for changes in user group memberships and invalidates the user’s session when a change is detected. This could be done using an OSGi event listener or a custom workflow that triggers upon group changes.
     
     
     
     

View solution in original post

Views

82

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
4 Replies

Avatar

Community Advisor
Community Advisor
4/30/24 7:29:57 AM

Hi,

 

I think having changes applied after the session has expired was intentionally designed. Imagine you are working on something and suddenly get logged out because an admin updated your user's ACL. This could lead to a bad user experience. So, my recommendation would be to put in place a business process for these updates. Perhaps it's better to send an email with instructions that the user should log out to see the permission changes applied.

 

If you really want to force a user to log out from their session, you would need to implement something custom and manual to check if there is some sort of flag indicating that the session needs to be terminated. You could use something like a filter to achieve that, but again, I wouldn't recommend forcing a logout. Another alternative is to tune up the session lifetime and align it with something smaller. You can check something like this:

https://helpx.adobe.com/experience-manager/kb/login-session-refresh-not-working.html 


Hope this helps


Esteban Bustamante

Views

91

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 4
Level 4
4/30/24 12:35:42 PM
SAML 2.0 Authentication Handler is designed to handle user sessions and group memberships.
However, it does not provide an out-of-the-box (OOTB) solution for real-time group membership updates during an active session.
Typically, changes to a user’s group memberships are reflected only after the user logs out and logs back in, as the SAML assertion that contains the group information is processed at login.
 
I second EstebanBustamante opinion on how this might be a bad user experience. 
 
  • You can adjust the session timeout settings to have shorter sessions. This would prompt users to log in more frequently, thus updating their group memberships more often.
  • You can also implement a custom solution that listens for changes in user group memberships and invalidates the user’s session when a change is detected. This could be done using an OSGi event listener or a custom workflow that triggers upon group changes.
     
     
     
     

Views

83

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 7
Level 7
5/1/24 2:25:54 AM

Hi @Randeep_virk ,

To ensure real-time access control in Adobe Experience Manager (AEM) based on changes in user groups retrieved from SAML authentication, you can implement a solution that periodically synchronizes user groups or actively invalidates user sessions when group memberships change. Here's how you can achieve this:

  1. Periodic Synchronization:

    • Implement a scheduled job or a background process in AEM that periodically synchronizes user groups with the data retrieved from the SAML authentication source.
    • This synchronization process can compare the current user groups with the groups retrieved from SAML and update the user's group memberships accordingly in AEM.
    • By running this synchronization job at regular intervals (e.g., hourly or daily), you can ensure that any changes in group memberships are reflected in AEM without requiring users to log in again.

  2. Session Invalidation:

    • Implement a mechanism to actively invalidate user sessions when group memberships change.
    • When a change in group memberships is detected during the synchronization process, invalidate the session for affected users programmatically.
    • This approach ensures that users are logged out immediately when their group memberships are updated, ensuring real-time access control.

  3. Forceful Logout Workflow:

    • You can create a custom workflow in AEM that is triggered when group memberships change.
    • The workflow can identify users who are members of the groups that have been modified and force logout for those users.
    • This approach provides a more controlled way to handle user logout based on group changes, allowing you to define custom actions or notifications as needed.

  4. Event-Driven Approach:

    • Utilize event-driven mechanisms in AEM to trigger actions when group membership changes occur.
    • Subscribe to events related to group modifications and implement event handlers to perform actions such as session invalidation or triggering a logout workflow for affected users.

  5. Session Management Configuration:

    • Review and configure AEM's session management settings to ensure that sessions are not unnecessarily prolonged, which can delay the application of group membership changes.
    • Adjust session timeout settings to ensure sessions expire within a reasonable timeframe, allowing users to log in again and obtain updated group memberships.

By implementing one or more of these approaches, you can achieve real-time access control in AEM based on changes in user groups retrieved from SAML authentication, ensuring that users have the appropriate access to pages and content without delay. Choose the approach that best suits your requirements and infrastructure setup.

Views

63

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
5/2/24 3:40:11 PM

Randeep, Are you able to try any of the options? Can you post your findings?

Views

38

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Is Reverse Proxy using dispatcher still the best way to access Third-Party API? Solved

Views

81

Likes

0

Replies

1
how to get access code on Practice Tests Page Solved

Views

137

Likes

0

Replies

1
Is it possible to make publisher accessible in browser with https?

Views

22

Likes

0

Replies

0
Access to path "/libs/granite/csrf/token.json" is returning 404.

Views

135

Likes

0

Replies

3
How to get request access for the Universal Editor?

Views

103

Likes

0

Replies

4