Hi Team,
I have one question on Default Groups configuration in SAML Authentication Handler. From documentation I understand that if Autocreate CRX Users is checked, Group Membership and is configured with name of attribute in SAML response, user would be added to respective groups after user creation.
On subsequent login attempts if the value in SAML response against Group Membership changes, will the user be removed from earlier group?
For example, user1 is logging for the first time and SAML response contains Group Membership as group1, after successful login, user is added to group1. As part of Business requirement, if user needs to be mapped to a different crx user group group2 and remove from earlier group(group2) then how should SAML response of Group Membership attribute look like?
Just group2 would do? Will this take care of removing user from group1?
Is there a way we can test this scenario? Could not think of a way since we do not have access to IDP configuration. Any inputs on open source IDP where we can configure SAML response attributes would be highly helpful.
Thanks
Srikanth
Solved! Go to Solution.
Views
Replies
Total Likes
best way to implement user and group administration for SAML would be manage AEM access using local AEM groups and once the SAML groups are synced in AEM, manually map them to these local groups
best way to implement user and group administration for SAML would be manage AEM access using local AEM groups and once the SAML groups are synced in AEM, manually map them to these local groups
Hi @Abdul_Rasheed, can you please point me to an article or document with more details on this?
I could not understand about manually mapping SAML groups to local AEM groups.
Thanks
Srikanth
Views
Replies
Total Likes
There is not specific documentation on this. Here is the process,
1. Setup AEM to handshake with SAML. Lets say a user is part of 4 SAML groups, saml_a, saml_b, saml_c, saml_d . Upon logging into AEM first time the SAML groups will be created in AEM but the user will not able to access anything, which is fine
2. Next steps is to create local AEM groups and enable access as per your need. aem_grp_a, aem_grp_b, aem_grp_c, aem_grp_d
3. Now map the saml_a group to aem_grp_a as member, this will ensure all aem_grp_a perm will be applicable for saml_a group.
4. You can validate user access by impersonating the user login
This would be an ideal way for managing access.
Always not that you shouldnt play around with SAML group access on AEM instance.
Thanks,
Abdul
Views
Replies
Total Likes
Views
Replies
Total Likes
For open-source IDP - https://www.ssocircle.com/en/portfolio/publicidp/ this works best. We can register using an email and utilize the services. Although this has a certain limit on the number of requests, can try to register with other email IDs for more testing.
Views
Likes
Replies
Views
Likes
Replies