SAML Response contains DN

Avatar

Avatar
Validate 1
Level 1
amitabhd6294229
Level 1

Likes

0 likes

Total Posts

2 posts

Correct reply

0 solutions
Top badges earned
Validate 1
View profile

Avatar
Validate 1
Level 1
amitabhd6294229
Level 1

Likes

0 likes

Total Posts

2 posts

Correct reply

0 solutions
Top badges earned
Validate 1
View profile
amitabhd6294229
Level 1

18-05-2020

Hello,

   We have configured the OOTB SAML Auth Handler successfully to use the Forgerock IDP and the authentication and communication between AEM 6.5 and the IDP is working fine. However, the groups are being returned as a DN instead of just the group name. Is this supported by the handler or do we need to create a custom handler to extract just the group name? The user is being placed in the default group so my assumption is that the DN is not supported. The IDP is authenticating the user against an AD, if that matters.

Anyone experience this before and how was it handled?

 

Thank you

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Give Back 5
Employee
Andrew_Khoury
Employee

Likes

75 likes

Total Posts

93 posts

Correct reply

33 solutions
Top badges earned
Give Back 5
Give Back 3
Give Back 10
Give Back
Boost 50
View profile

Avatar
Give Back 5
Employee
Andrew_Khoury
Employee

Likes

75 likes

Total Posts

93 posts

Correct reply

33 solutions
Top badges earned
Give Back 5
Give Back 3
Give Back 10
Give Back
Boost 50
View profile
Andrew_Khoury
Employee

18-05-2020

You must configure the IDP to send the value you want.  This isn't handled by AEM.  In the AEM SAML Handler OSGi configuration, you would just set the "Group Membership" property with the name of the SAML attribute containing the list of the user's memberships (containing the group CNs instead of DNs).

 

Based on my findings, I suspect you are using OpenAM IDP from Forgerock, is that correct?  If so, I guess you would need to implement a custom attribute mapper:

https://backstage.forgerock.com/knowledge/kb/article/a67576704

Answers (0)