SAML - Sync User Groups? | Community
Skip to main content
G
gregy68980908
Level 2
June 7, 2018
Solved

SAML - Sync User Groups?

  • June 7, 2018
  • 4 replies
  • 4969 views

Is it possible to sync a user group from my IDP?

If I have a group called "developer" in my IDP and the same user group called "developer" in AEM, is there a way to add this to "Synchronized Attributes" so when the user logs in they are a part of that group in AEM as well? If so whats the sync path?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by aneetarora

Hello gregy68980908

As you already have a group in AEM, the user logging in to AEM would be added as a member to this group if the SAML response contains the appropriate group attirubte. You will have to identify the group attribute and make sure that the SAML configuration in AEM looks for that group attribute. For example

If my SAML response contains the following

<saml2:Attribute Name="group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">developer</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">aneetsgroup</saml2:AttributeValue>
</saml2:Attribute>

Then my SAML configuration should contain group as a value for the "Group Membership" field.

Best Regards,

Aneet Arora

4 replies

smacdonald2008
smacdonald2008
Level 10
June 7, 2018

Only HELPX we have on SAML is here -- .Integrating SAML with Adobe Experience Manager

The Author is referenced in the artilce and his LINKED IN is specified. You can try to reach out to him. (why they are included in HELPX_articles.)

A
Adobe Employee
aneetaroraAdobe EmployeeAccepted solution
Adobe Employee
June 7, 2018

Hello gregy68980908

As you already have a group in AEM, the user logging in to AEM would be added as a member to this group if the SAML response contains the appropriate group attirubte. You will have to identify the group attribute and make sure that the SAML configuration in AEM looks for that group attribute. For example

If my SAML response contains the following

<saml2:Attribute Name="group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">developer</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">aneetsgroup</saml2:AttributeValue>
</saml2:Attribute>

Then my SAML configuration should contain group as a value for the "Group Membership" field.

Best Regards,

Aneet Arora

    K
    Adobe Employee
    KunwarsalujaAdobe Employee
    Adobe Employee
    June 8, 2018

    The groups created in the IDP are to be pre-created in AEM. Once the use tries to login and authenticated by the IDP, the success SAML response would contain the list of groups mapped over the group sync attribute.

    SAML auth handler would update the group membership in accordance to the group values in SAML response for the users. In essence,  It only create users in CRX and update the group membership

      G
      gregy68980908Author
      Level 2
      June 8, 2018

      Worked perfectly - thanks for the help!

      Terms & ConditionsAccessibility statement

      Loading footer...