SAML Response contains DN | Community
Skip to main content
A
amitabhd6294229
New Member
May 18, 2020
Solved

SAML Response contains DN

  • May 18, 2020
  • 1 reply
  • 6459 views

Hello,

   We have configured the OOTB SAML Auth Handler successfully to use the Forgerock IDP and the authentication and communication between AEM 6.5 and the IDP is working fine. However, the groups are being returned as a DN instead of just the group name. Is this supported by the handler or do we need to create a custom handler to extract just the group name? The user is being placed in the default group so my assumption is that the DN is not supported. The IDP is authenticating the user against an AD, if that matters.

Anyone experience this before and how was it handled?

 

Thank you

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by akhoury

You must configure the IDP to send the value you want.  This isn't handled by AEM.  In the AEM SAML Handler OSGi configuration, you would just set the "Group Membership" property with the name of the SAML attribute containing the list of the user's memberships (containing the group CNs instead of DNs).

 

Based on my findings, I suspect you are using OpenAM IDP from Forgerock, is that correct?  If so, I guess you would need to implement a custom attribute mapper:

https://backstage.forgerock.com/knowledge/kb/article/a67576704

1 reply

akhoury
Adobe Employee
akhouryAdobe EmployeeAccepted solution
Adobe Employee
May 18, 2020

You must configure the IDP to send the value you want.  This isn't handled by AEM.  In the AEM SAML Handler OSGi configuration, you would just set the "Group Membership" property with the name of the SAML attribute containing the list of the user's memberships (containing the group CNs instead of DNs).

 

Based on my findings, I suspect you are using OpenAM IDP from Forgerock, is that correct?  If so, I guess you would need to implement a custom attribute mapper:

https://backstage.forgerock.com/knowledge/kb/article/a67576704

    A
    amitabhd6294229Author
    New Member
    May 18, 2020
    Yes. You are correct. We are using the OpenAM IDP from Forgerock. I did ask about the IDP implementing this, but I was told that any filters they create would be applicable at a global level and not Service Provider Specific which would affect other service providers. They are using the same configuration with Splunk and other products without any issues. We are getting this in the SAML Response <saml:Attribute Name="memberOf"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">CN=APP-CRM-BUILD-PROFILE-CSR,OU=Resources,OU=_Groups,DC=lan,DC=xxxx,DC=org</saml:AttributeValue> I have specified "memberOf" as the groupMembership attribute.
    Terms & ConditionsAccessibility statement

    Loading footer...