Expand my Community achievements bar.

SOLVED

SAML - Sync User Groups?

Avatar

Level 3
Level 3
6/7/18 12:23:37 PM

Is it possible to sync a user group from my IDP?

If I have a group called "developer" in my IDP and the same user group called "developer" in AEM, is there a way to add this to "Synchronized Attributes" so when the user logs in they are a part of that group in AEM as well? If so whats the sync path?

Views

3.5K

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 5
Level 5
6/7/18 2:13:20 PM

Hello gregy68980908

As you already have a group in AEM, the user logging in to AEM would be added as a member to this group if the SAML response contains the appropriate group attirubte. You will have to identify the group attribute and make sure that the SAML configuration in AEM looks for that group attribute. For example

If my SAML response contains the following

<saml2:Attribute Name="group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">developer</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">aneetsgroup</saml2:AttributeValue>
</saml2:Attribute>

Then my SAML configuration should contain group as a value for the "Group Membership" field.

Best Regards,

Aneet Arora

View solution in original post

Views

2.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
4 Replies

Avatar

Level 10
Level 10
6/7/18 12:42:24 PM

Only HELPX we have on SAML is here -- .Integrating SAML with Adobe Experience Manager

The Author is referenced in the artilce and his LINKED IN is specified. You can try to reach out to him. (why they are included in HELPX_articles.)

Views

2.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 5
Level 5
6/7/18 2:13:20 PM

Hello gregy68980908

As you already have a group in AEM, the user logging in to AEM would be added as a member to this group if the SAML response contains the appropriate group attirubte. You will have to identify the group attribute and make sure that the SAML configuration in AEM looks for that group attribute. For example

If my SAML response contains the following

<saml2:Attribute Name="group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">developer</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">aneetsgroup</saml2:AttributeValue>
</saml2:Attribute>

Then my SAML configuration should contain group as a value for the "Group Membership" field.

Best Regards,

Aneet Arora

Views

2.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Employee
Employee
6/8/18 7:07:07 AM

The groups created in the IDP are to be pre-created in AEM. Once the use tries to login and authenticated by the IDP, the success SAML response would contain the list of groups mapped over the group sync attribute.

SAML auth handler would update the group membership in accordance to the group values in SAML response for the users. In essence,  It only create users in CRX and update the group membership

Views

2.6K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
6/8/18 8:44:19 AM

Worked perfectly - thanks for the help!

Views

2.9K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate