Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

SAML Response contains DN

amitabhd6294229
Level 1
Level 1

Hello,

   We have configured the OOTB SAML Auth Handler successfully to use the Forgerock IDP and the authentication and communication between AEM 6.5 and the IDP is working fine. However, the groups are being returned as a DN instead of just the group name. Is this supported by the handler or do we need to create a custom handler to extract just the group name? The user is being placed in the default group so my assumption is that the DN is not supported. The IDP is authenticating the user against an AD, if that matters.

Anyone experience this before and how was it handled?

 

Thank you

1 Accepted Solution
Andrew_Khoury
Correct answer by
Employee
Employee

You must configure the IDP to send the value you want.  This isn't handled by AEM.  In the AEM SAML Handler OSGi configuration, you would just set the "Group Membership" property with the name of the SAML attribute containing the list of the user's memberships (containing the group CNs instead of DNs).

 

Based on my findings, I suspect you are using OpenAM IDP from Forgerock, is that correct?  If so, I guess you would need to implement a custom attribute mapper:

https://backstage.forgerock.com/knowledge/kb/article/a67576704

View solution in original post

2 Replies
Andrew_Khoury
Correct answer by
Employee
Employee

You must configure the IDP to send the value you want.  This isn't handled by AEM.  In the AEM SAML Handler OSGi configuration, you would just set the "Group Membership" property with the name of the SAML attribute containing the list of the user's memberships (containing the group CNs instead of DNs).

 

Based on my findings, I suspect you are using OpenAM IDP from Forgerock, is that correct?  If so, I guess you would need to implement a custom attribute mapper:

https://backstage.forgerock.com/knowledge/kb/article/a67576704

View solution in original post

amitabhd6294229
Level 1
Level 1
Yes. You are correct. We are using the OpenAM IDP from Forgerock. I did ask about the IDP implementing this, but I was told that any filters they create would be applicable at a global level and not Service Provider Specific which would affect other service providers. They are using the same configuration with Splunk and other products without any issues. We are getting this in the SAML Response <saml:Attribute Name="memberOf"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">CN=APP-CRM-BUILD-PROFILE-CSR,OU=Resources,OU=_Groups,DC=lan,DC=xxxx,DC=org</saml:AttributeValue> I have specified "memberOf" as the groupMembership attribute.
Andrew_Khoury
Employee
Employee
AEM's SAML handler doesn't parse out the CN from the DN. However, you can just use the DN in AEM and it doesn't have to be visible to users. You can create the groups in AEM with the DN as the id, for example, "CN=APP-CRM-BUILD-PROFILE-CSR,OU=Resources,OU=_Groups,DC=lan,DC=xxxx,DC=org", then just give the group a friendly name in the group title. Why the need for it to be the CN? DN isn't a bad thing, it avoids naming conflicts.