Adobe Experience Manager Sites & More

srikanthp689160 · 10/9/20

Hi Team,

I have one question on Default Groups configuration in SAML Authentication Handler. From documentation I understand that if Autocreate CRX Users is checked, Group Membership and is configured with name of attribute in SAML response, user would be added to respective groups after user creation.

On subsequent login attempts if the value in SAML response against Group Membership changes, will the user be removed from earlier group?

For example, user1 is logging for the first time and SAML response contains Group Membership as group1, after successful login, user is added to group1. As part of Business requirement, if user needs to be mapped to a different crx user group group2 and remove from earlier group(group2) then how should SAML response of Group Membership attribute look like?

Just group2 would do? Will this take care of removing user from group1?

Is there a way we can test this scenario? Could not think of a way since we do not have access to IDP configuration. Any inputs on open source IDP where we can configure SAML response attributes would be highly helpful.

Thanks

Srikanth

Abdul_Rasheed · 10/9/20

best way to implement user and group administration for SAML would be manage AEM access using local AEM groups and once the SAML groups are synced in AEM, manually map them to these local groups

View solution in original post

Abdul_Rasheed · 10/9/20

best way to implement user and group administration for SAML would be manage AEM access using local AEM groups and once the SAML groups are synced in AEM, manually map them to these local groups

srikanthp689160 · 10/12/20

Hi @Abdul_Rasheed, can you please point me to an article or document with more details on this?

I could not understand about manually mapping SAML groups to local AEM groups.

Thanks

Srikanth

Abdul_Rasheed · 10/12/20

There is not specific documentation on this. Here is the process,

1. Setup AEM to handshake with SAML. Lets say a user is part of 4 SAML groups, saml_a, saml_b, saml_c, saml_d . Upon logging into AEM first time the SAML groups will be created in AEM but the user will not able to access anything, which is fine

2. Next steps is to create local AEM groups and enable access as per your need. aem_grp_a, aem_grp_b, aem_grp_c, aem_grp_d

3. Now map the saml_a group to aem_grp_a as member, this will ensure all aem_grp_a perm will be applicable for saml_a group.

4. You can validate user access by impersonating the user login

This would be an ideal way for managing access.

Always not that you shouldnt play around with SAML group access on AEM instance.

Thanks,

Abdul

srikanthp689160 · 10/13/20

@Abdul_Rasheed, sorry for my ignorance, does the statement "Now map the saml_a group to aem_grp_a as member, this will ensure all aem_grp_a perm will be applicable for saml_a group", mean both saml_a and aem_grp_a needs to be created in AEM and add saml_a to aem_grp_a manually?

VeenaK · 10/11/20

For open-source IDP - https://www.ssocircle.com/en/portfolio/publicidp/ this works best. We can register using an email and utilize the services. Although this has a certain limit on the number of requests, can try to register with other email IDs for more testing.

Adobe Experience Manager Sites & More

SAML Authentication - Addition to Default Groups

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe