Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

SAML Authentication - Addition to Default Groups

Avatar

Level 4

Hi Team,

I have one question on Default Groups configuration in SAML Authentication Handler. From documentation I understand that if Autocreate CRX Users is checked, Group Membership and is configured with name of attribute in SAML response, user would be added to respective groups after user creation.

On subsequent login attempts if the value in SAML response against Group Membership changes, will the user be removed from earlier group?

For example, user1 is logging for the first time and SAML response contains Group Membership as group1, after successful login, user is added to group1. As part of Business requirement, if user needs to be mapped to a different crx user group group2 and remove from earlier group(group2) then how should SAML response of Group Membership attribute look like?

Just group2 would do? Will this take care of removing user from group1?

 

Is there a way we can test this scenario? Could not think of a way since we do not have access to IDP configuration. Any inputs on open source IDP where we can configure SAML response attributes would be highly helpful.

 

Thanks

Srikanth

1 Accepted Solution

Avatar

Correct answer by
Level 2

best way to implement user and group administration for SAML would be manage AEM access using local AEM groups and once the SAML groups are synced in AEM, manually map them to these local groups

View solution in original post

5 Replies

Avatar

Correct answer by
Level 2

best way to implement user and group administration for SAML would be manage AEM access using local AEM groups and once the SAML groups are synced in AEM, manually map them to these local groups

Avatar

Level 4

Hi @Abdul_Rasheed, can you please point me to an article or document with more details on this?

I could not understand about manually mapping SAML groups to local AEM groups.

 

Thanks

Srikanth

Avatar

Level 2

There is not specific documentation on this. Here is the process,

 

1. Setup AEM to handshake with SAML. Lets say a user is part of 4 SAML groups, saml_a, saml_b, saml_c, saml_d . Upon logging into AEM first time the SAML groups will be created in AEM but the user will not able to access anything, which is fine

2. Next steps is to create local AEM groups and enable access as per your need. aem_grp_a, aem_grp_b, aem_grp_c, aem_grp_d

3. Now map the saml_a group to aem_grp_a as member, this will ensure all aem_grp_a perm will be applicable for saml_a group.

4. You can validate user access by impersonating the user login

 

This would be an ideal way for managing access. 

 

Always not that you shouldnt play around with SAML group access on AEM instance.

 

Thanks,

Abdul

Avatar

Level 4
@Abdul_Rasheed, sorry for my ignorance, does the statement "Now map the saml_a group to aem_grp_a as member, this will ensure all aem_grp_a perm will be applicable for saml_a group", mean both saml_a and aem_grp_a needs to be created in AEM and add saml_a to aem_grp_a manually?

Avatar

Level 5

For open-source IDP - https://www.ssocircle.com/en/portfolio/publicidp/ this works best. We can register using an email and utilize the services. Although this has a certain limit on the number of requests, can try to register with other email IDs for more testing.