Expand my Community achievements bar.

SOLVED

SAML Response contains DN

Avatar

Level 1

Hello,

   We have configured the OOTB SAML Auth Handler successfully to use the Forgerock IDP and the authentication and communication between AEM 6.5 and the IDP is working fine. However, the groups are being returned as a DN instead of just the group name. Is this supported by the handler or do we need to create a custom handler to extract just the group name? The user is being placed in the default group so my assumption is that the DN is not supported. The IDP is authenticating the user against an AD, if that matters.

Anyone experience this before and how was it handled?

 

Thank you

1 Accepted Solution

Avatar

Correct answer by
Employee

You must configure the IDP to send the value you want.  This isn't handled by AEM.  In the AEM SAML Handler OSGi configuration, you would just set the "Group Membership" property with the name of the SAML attribute containing the list of the user's memberships (containing the group CNs instead of DNs).

 

Based on my findings, I suspect you are using OpenAM IDP from Forgerock, is that correct?  If so, I guess you would need to implement a custom attribute mapper:

https://backstage.forgerock.com/knowledge/kb/article/a67576704

View solution in original post

3 Replies

Avatar

Correct answer by
Employee

You must configure the IDP to send the value you want.  This isn't handled by AEM.  In the AEM SAML Handler OSGi configuration, you would just set the "Group Membership" property with the name of the SAML attribute containing the list of the user's memberships (containing the group CNs instead of DNs).

 

Based on my findings, I suspect you are using OpenAM IDP from Forgerock, is that correct?  If so, I guess you would need to implement a custom attribute mapper:

https://backstage.forgerock.com/knowledge/kb/article/a67576704

Avatar

Level 1
Yes. You are correct. We are using the OpenAM IDP from Forgerock. I did ask about the IDP implementing this, but I was told that any filters they create would be applicable at a global level and not Service Provider Specific which would affect other service providers. They are using the same configuration with Splunk and other products without any issues. We are getting this in the SAML Response <saml:Attribute Name="memberOf"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">CN=APP-CRM-BUILD-PROFILE-CSR,OU=Resources,OU=_Groups,DC=lan,DC=xxxx,DC=org</saml:AttributeValue> I have specified "memberOf" as the groupMembership attribute.

Avatar

Employee
AEM's SAML handler doesn't parse out the CN from the DN. However, you can just use the DN in AEM and it doesn't have to be visible to users. You can create the groups in AEM with the DN as the id, for example, "CN=APP-CRM-BUILD-PROFILE-CSR,OU=Resources,OU=_Groups,DC=lan,DC=xxxx,DC=org", then just give the group a friendly name in the group title. Why the need for it to be the CN? DN isn't a bad thing, it avoids naming conflicts.