SAML Response contains DN

Avatar

Avatar

amitabhd6294229

Avatar

amitabhd6294229

amitabhd6294229

18-05-2020

Hello,

   We have configured the OOTB SAML Auth Handler successfully to use the Forgerock IDP and the authentication and communication between AEM 6.5 and the IDP is working fine. However, the groups are being returned as a DN instead of just the group name. Is this supported by the handler or do we need to create a custom handler to extract just the group name? The user is being placed in the default group so my assumption is that the DN is not supported. The IDP is authenticating the user against an AD, if that matters.

Anyone experience this before and how was it handled?

 

Thank you

SAML
View Entire Topic

Avatar

Avatar

Andrew_Khoury

Employee

Avatar

Andrew_Khoury

Employee

Andrew_Khoury
Employee

18-05-2020

You must configure the IDP to send the value you want.  This isn't handled by AEM.  In the AEM SAML Handler OSGi configuration, you would just set the "Group Membership" property with the name of the SAML attribute containing the list of the user's memberships (containing the group CNs instead of DNs).

 

Based on my findings, I suspect you are using OpenAM IDP from Forgerock, is that correct?  If so, I guess you would need to implement a custom attribute mapper:

https://backstage.forgerock.com/knowledge/kb/article/a67576704