Adobe Experience Manager Sites & More

ASHISHIBM · 03/04/2025

I am working on use case where we are integrating SAML with our application , basically for new user login we are setting up createUser as false so that whenever user is logged in from IDP server , that user should not create in AEM .

For existing user in AEM publish environment , it should redirect to our portal , here no group is being return in Assertion response .Below is my SAML config

{
"path": [ "/content/csc-aem-commons/us/en", "/content/ipg-asc"],
"idpCertAlias": "$[env:SAML_IDP_CERT_ALIAS;default=certalias___1732570622676]",
"idpIdentifier": "$[env:SAML_IDP_ID;default=https://login.microsoftonline.com/d026e4c1-5892-497a-b9da-ee493c9f0364]",
"idpUrl": "$[env:SAML_IDP_URL;default=https://login.microsoftonline.com/d026e4c1-5892-497a-b9da-ee493c9f0364/saml2]",
"serviceProviderEntityId": "$[env:SAML_AEM_ID;default=https://publish-p135571-e1386830.adobeaemcloud.com]",
"useEncryption": false,
"userIDAttribute": "",
"createUser": false,
"userIntermediatePath": "ipg/idp",
"synchronizeAttributes":[
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress=profile/email",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname=profile/givenName",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname=profile/familyName"
],
"addGroupMemberships": true,
"groupMembershipAttribute": "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups",
"defaultGroups": [
"Aem_deu_glb_agency_user"
],
"handleLogout":true
}

Problem : we are getting an error for existin user as login token is not found , can someone help how can we fix this

Getting this error

[qtp1635739700-1008] com.adobe.granite.auth.saml.extidp.DefaultUserSync User synchronization failed: Could not access repository.

javax.jcr.RepositoryException: Failed to generate login-token: Could not access Repository

at com.day.crx.security.token.TokenUtil.createCredentials(TokenUtil.java:103) [com.day.crx.sling.crx-auth-token:2.8.0]

at com.adobe.granite.auth.saml.extidp.DefaultUserSync.process(DefaultUserSync.java:107) [com.adobe.granite.auth.saml:1.0.62]

at com.adobe.granite.auth.saml.SamlAuthenticationHandler.syncUser(SamlAuthenticationHandler.java:947) [com.adobe.granite.auth.saml:1.0.62]

at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:939) [com.adobe.granite.auth.saml:1.0.62]

at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:551) [com.adobe.granite.auth.saml:1.0.62]

at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:77) [org.apache.sling.auth.core:1.6.2]

at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60) [org.apache.sling.auth.core:1.6.2]

at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:664) [org.apache.sling.auth.core:1.6.2]

at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:453) [org.apache.sling.auth.core:1.6.2]

at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:427) [org.apache.sling.auth.core:1.6.2]

at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:122) [org.apache.sling.engine:2.15.18]

at org.apache.felix.http.base.internal.wrappers.ServletContextHelperWrapper.handleSecurity(ServletContextHelperWrapper.java:48) [org.apache.felix.http.jetty:5.1.26]

at org.apache.felix.http.base.internal.whiteboard.PerBundleServletContextImpl.handleSecurity(PerBundleServletContextImpl.java:88) [org.apache.felix.http.jetty:5.1.26]

at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:58)

ashishg1547773 · 16/05/2025

basically in cloud IMS groups does not work on publish environment , we have to create seperate groups in AEM publish and provide permission .

Also when user is logged in through SAML , it got created under /idp folder and all the groups that are the part of saml response with attribute as groupmembership will attached to this user after logged in .

Voir la solution dans l'envoi d'origine

konstantyn_diachenko · 03/04/2025

Hi @ASHISHIBM ,

Does your existing user on publish have any permissions?

Try to disable addGroupMemberships and don't provide groupMembershipAttribute.

Best regards,

Kostiantyn Diachenko.

Kostiantyn Diachenko

Check out AEM VLT Intellij plugin

kautuk_sahni · 14/04/2025

@ASHISHIBM Did you find the suggestions helpful? If you need more information, please let us know. If a response resolved your issue, kindly mark it as correct to help others in the future. Alternatively, if you discovered a solution on your own, we'd appreciate it if you could share it with the community. Thank you !

Kautuk Sahni

ashishg1547773 · 16/05/2025

basically in cloud IMS groups does not work on publish environment , we have to create seperate groups in AEM publish and provide permission .

Also when user is logged in through SAML , it got created under /idp folder and all the groups that are the part of saml response with attribute as groupmembership will attached to this user after logged in .

Adobe Experience Manager Sites & More

SAML2 - AEM CaaS issue for existing user in AEM not able to logged to repo

Kostiantyn Diachenko

Check out AEM VLT Intellij plugin

Kautuk Sahni

Formation

Documentation

Événements

Communauté

Assistance

Ressources

Compte Adobe

Adobe