Is it possible to sync a user group from my IDP?
If I have a group called "developer" in my IDP and the same user group called "developer" in AEM, is there a way to add this to "Synchronized Attributes" so when the user logs in they are a part of that group in AEM as well? If so whats the sync path?
Solved! Go to Solution.
Views
Replies
Total Likes
Hello gregy68980908
As you already have a group in AEM, the user logging in to AEM would be added as a member to this group if the SAML response contains the appropriate group attirubte. You will have to identify the group attribute and make sure that the SAML configuration in AEM looks for that group attribute. For example
If my SAML response contains the following
<saml2:Attribute Name="group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">developer</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">aneetsgroup</saml2:AttributeValue>
</saml2:Attribute>
Then my SAML configuration should contain group as a value for the "Group Membership" field.
Best Regards,
Aneet Arora
Only HELPX we have on SAML is here -- .Integrating SAML with Adobe Experience Manager
The Author is referenced in the artilce and his LINKED IN is specified. You can try to reach out to him. (why they are included in HELPX_articles.)
Views
Replies
Total Likes
Hello gregy68980908
As you already have a group in AEM, the user logging in to AEM would be added as a member to this group if the SAML response contains the appropriate group attirubte. You will have to identify the group attribute and make sure that the SAML configuration in AEM looks for that group attribute. For example
If my SAML response contains the following
<saml2:Attribute Name="group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">developer</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">aneetsgroup</saml2:AttributeValue>
</saml2:Attribute>
Then my SAML configuration should contain group as a value for the "Group Membership" field.
Best Regards,
Aneet Arora
The groups created in the IDP are to be pre-created in AEM. Once the use tries to login and authenticated by the IDP, the success SAML response would contain the list of groups mapped over the group sync attribute.
SAML auth handler would update the group membership in accordance to the group values in SAML response for the users. In essence, It only create users in CRX and update the group membership
Worked perfectly - thanks for the help!
Views
Replies
Total Likes
Views
Like
Replies
Views
Likes
Replies
Views
Likes
Replies