Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

SAML Authentication - Addition to Default Groups

Avatar

Avatar
Validate 10
Level 3
srikanthp689160
Level 3

Likes

20 likes

Total Posts

95 posts

Correct Reply

0 solutions
Top badges earned
Validate 10
Validate 1
Ignite 5
Ignite 3
Ignite 1
View profile

Avatar
Validate 10
Level 3
srikanthp689160
Level 3

Likes

20 likes

Total Posts

95 posts

Correct Reply

0 solutions
Top badges earned
Validate 10
Validate 1
Ignite 5
Ignite 3
Ignite 1
View profile
srikanthp689160
Level 3

09-10-2020

Hi Team,

I have one question on Default Groups configuration in SAML Authentication Handler. From documentation I understand that if Autocreate CRX Users is checked, Group Membership and is configured with name of attribute in SAML response, user would be added to respective groups after user creation.

On subsequent login attempts if the value in SAML response against Group Membership changes, will the user be removed from earlier group?

For example, user1 is logging for the first time and SAML response contains Group Membership as group1, after successful login, user is added to group1. As part of Business requirement, if user needs to be mapped to a different crx user group group2 and remove from earlier group(group2) then how should SAML response of Group Membership attribute look like?

Just group2 would do? Will this take care of removing user from group1?

 

Is there a way we can test this scenario? Could not think of a way since we do not have access to IDP configuration. Any inputs on open source IDP where we can configure SAML response attributes would be highly helpful.

 

Thanks

Srikanth

Groups SAML2.0 User groups

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Validate 1
Level 2
Abdul_Rasheed
Level 2

Likes

5 likes

Total Posts

13 posts

Correct Reply

1 solution
Top badges earned
Validate 1
Boost 5
Boost 3
Boost 1
Affirm 1
View profile

Avatar
Validate 1
Level 2
Abdul_Rasheed
Level 2

Likes

5 likes

Total Posts

13 posts

Correct Reply

1 solution
Top badges earned
Validate 1
Boost 5
Boost 3
Boost 1
Affirm 1
View profile
Abdul_Rasheed
Level 2

09-10-2020

best way to implement user and group administration for SAML would be manage AEM access using local AEM groups and once the SAML groups are synced in AEM, manually map them to these local groups

Answers (1)

Answers (1)

Avatar

Avatar
Shape 1
Level 2
VeenaK
Level 2

Likes

18 likes

Total Posts

15 posts

Correct Reply

3 solutions
Top badges earned
Shape 1
Give Back
Boost 5
Boost 3
Boost 10
View profile

Avatar
Shape 1
Level 2
VeenaK
Level 2

Likes

18 likes

Total Posts

15 posts

Correct Reply

3 solutions
Top badges earned
Shape 1
Give Back
Boost 5
Boost 3
Boost 10
View profile
VeenaK
Level 2

11-10-2020

For open-source IDP - https://www.ssocircle.com/en/portfolio/publicidp/ this works best. We can register using an email and utilize the services. Although this has a certain limit on the number of requests, can try to register with other email IDs for more testing.