SAML Authentication - Addition to Default Groups



Hi Team,

I have one question on Default Groups configuration in SAML Authentication Handler. From documentation I understand that if Autocreate CRX Users is checked, Group Membership and is configured with name of attribute in SAML response, user would be added to respective groups after user creation.

On subsequent login attempts if the value in SAML response against Group Membership changes, will the user be removed from earlier group?

For example, user1 is logging for the first time and SAML response contains Group Membership as group1, after successful login, user is added to group1. As part of Business requirement, if user needs to be mapped to a different crx user group group2 and remove from earlier group(group2) then how should SAML response of Group Membership attribute look like?

Just group2 would do? Will this take care of removing user from group1?


Is there a way we can test this scenario? Could not think of a way since we do not have access to IDP configuration. Any inputs on open source IDP where we can configure SAML response attributes would be highly helpful.




Groups SAML2.0 User groups

Accepted Solutions (1)

Accepted Solutions (1)



best way to implement user and group administration for SAML would be manage AEM access using local AEM groups and once the SAML groups are synced in AEM, manually map them to these local groups

Answers (1)

Answers (1)



For open-source IDP - this works best. We can register using an email and utilize the services. Although this has a certain limit on the number of requests, can try to register with other email IDs for more testing.