Adobe Experience Manager Sites & More

gregy68980908 · 6/7/18

Is it possible to sync a user group from my IDP?

If I have a group called "developer" in my IDP and the same user group called "developer" in AEM, is there a way to add this to "Synchronized Attributes" so when the user logs in they are a part of that group in AEM as well? If so whats the sync path?

aneeta45259594 · 6/7/18

Hello gregy68980908

As you already have a group in AEM, the user logging in to AEM would be added as a member to this group if the SAML response contains the appropriate group attirubte. You will have to identify the group attribute and make sure that the SAML configuration in AEM looks for that group attribute. For example

If my SAML response contains the following

<saml2:Attribute Name="group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">developer</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">aneetsgroup</saml2:AttributeValue>
</saml2:Attribute>

Then my SAML configuration should contain group as a value for the "Group Membership" field.

Best Regards,

Aneet Arora

View solution in original post

smacdonald2008 · 6/7/18

Only HELPX we have on SAML is here -- .Integrating SAML with Adobe Experience Manager

The Author is referenced in the artilce and his LINKED IN is specified. You can try to reach out to him. (why they are included in HELPX_articles.)

aneeta45259594 · 6/7/18

Hello gregy68980908

As you already have a group in AEM, the user logging in to AEM would be added as a member to this group if the SAML response contains the appropriate group attirubte. You will have to identify the group attribute and make sure that the SAML configuration in AEM looks for that group attribute. For example

If my SAML response contains the following

<saml2:Attribute Name="group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">developer</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">aneetsgroup</saml2:AttributeValue>
</saml2:Attribute>

Then my SAML configuration should contain group as a value for the "Group Membership" field.

Best Regards,

Aneet Arora

Kunwar · 6/8/18

The groups created in the IDP are to be pre-created in AEM. Once the use tries to login and authenticated by the IDP, the success SAML response would contain the list of groups mapped over the group sync attribute.

SAML auth handler would update the group membership in accordance to the group values in SAML response for the users. In essence, It only create users in CRX and update the group membership

gregy68980908 · 6/8/18

Worked perfectly - thanks for the help!

Adobe Experience Manager Sites & More

SAML - Sync User Groups?

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe