Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

SOLVED

SAML Authentication - Addition to Default Groups

srikanthp689160
Level 4
Level 4

Hi Team,

I have one question on Default Groups configuration in SAML Authentication Handler. From documentation I understand that if Autocreate CRX Users is checked, Group Membership and is configured with name of attribute in SAML response, user would be added to respective groups after user creation.

On subsequent login attempts if the value in SAML response against Group Membership changes, will the user be removed from earlier group?

For example, user1 is logging for the first time and SAML response contains Group Membership as group1, after successful login, user is added to group1. As part of Business requirement, if user needs to be mapped to a different crx user group group2 and remove from earlier group(group2) then how should SAML response of Group Membership attribute look like?

Just group2 would do? Will this take care of removing user from group1?

 

Is there a way we can test this scenario? Could not think of a way since we do not have access to IDP configuration. Any inputs on open source IDP where we can configure SAML response attributes would be highly helpful.

 

Thanks

Srikanth

Groups SAML2.0 User groups
1 Accepted Solution
Abdul_Rasheed
Correct answer by
Level 2
Level 2

best way to implement user and group administration for SAML would be manage AEM access using local AEM groups and once the SAML groups are synced in AEM, manually map them to these local groups

View solution in original post

5 Replies
Abdul_Rasheed
Correct answer by
Level 2
Level 2

best way to implement user and group administration for SAML would be manage AEM access using local AEM groups and once the SAML groups are synced in AEM, manually map them to these local groups

View solution in original post

srikanthp689160
Level 4
Level 4

Hi @Abdul_Rasheed, can you please point me to an article or document with more details on this?

I could not understand about manually mapping SAML groups to local AEM groups.

 

Thanks

Srikanth

Abdul_Rasheed
Level 2
Level 2

There is not specific documentation on this. Here is the process,

 

1. Setup AEM to handshake with SAML. Lets say a user is part of 4 SAML groups, saml_a, saml_b, saml_c, saml_d . Upon logging into AEM first time the SAML groups will be created in AEM but the user will not able to access anything, which is fine

2. Next steps is to create local AEM groups and enable access as per your need. aem_grp_a, aem_grp_b, aem_grp_c, aem_grp_d

3. Now map the saml_a group to aem_grp_a as member, this will ensure all aem_grp_a perm will be applicable for saml_a group.

4. You can validate user access by impersonating the user login

 

This would be an ideal way for managing access. 

 

Always not that you shouldnt play around with SAML group access on AEM instance.

 

Thanks,

Abdul

srikanthp689160
Level 4
Level 4
@Abdul_Rasheed, sorry for my ignorance, does the statement "Now map the saml_a group to aem_grp_a as member, this will ensure all aem_grp_a perm will be applicable for saml_a group", mean both saml_a and aem_grp_a needs to be created in AEM and add saml_a to aem_grp_a manually?
VeenaK
Level 3
Level 3

For open-source IDP - https://www.ssocircle.com/en/portfolio/publicidp/ this works best. We can register using an email and utilize the services. Although this has a certain limit on the number of requests, can try to register with other email IDs for more testing.