AEM Cloud SAML 2.0 | how to pass multiple groups in groupMembershipAttribute property | Community
Skip to main content
S
SDusane
New Participant
March 25, 2025
Solved

AEM Cloud SAML 2.0 | how to pass multiple groups in groupMembershipAttribute property

  • March 25, 2025
  • 4 replies
  • 849 views

Hi Team,

 

I am using SAML 2.0 Authentication  for external users authentication on our portal.

Where I have a usecase, I want to add the user to multiple groups when they are authenticated, I am using below properties

addGroupMemberships : true

groupMembershipAttribute : "http://schemas.test.com/groups-name", [ which will result in "group1, group2" values]

 

Once authenticated, the users are not getting added to both the groups, it is working when I pass only one group name but not for more than one.

How can I pass more than 1 group in this property, Shall I try with String array or string values? Can you pls share me some samples for groupMembershipAttribute.

 

Thanks,

SD

 

Best answer by SDusane

Hi All,

 

The issue is resolved when I tried to use String Array e.g. ["group1","group2"]

and I could see in SAML Assertion, the strings were pass a single value 2 times and it successfully added the user in both the groups like 

 "http://schemas.test.com/groups-name" : "group1"

 "http://schemas.test.com/groups-name" : "group2"

 

Thank you all for your help.

 

Regards,

SD

4 replies

S
SDusaneAuthorAccepted solution
New Participant
March 27, 2025

Hi All,

 

The issue is resolved when I tried to use String Array e.g. ["group1","group2"]

and I could see in SAML Assertion, the strings were pass a single value 2 times and it successfully added the user in both the groups like 

 "http://schemas.test.com/groups-name" : "group1"

 "http://schemas.test.com/groups-name" : "group2"

 

Thank you all for your help.

 

Regards,

SD

    narendiran_ravi
    narendiran_ravi
    New Participant
    March 25, 2025

    Hi @sdusane ,

    You need to map the group attribute sent in the SAML response from your IDP in AEM SAML configuration. Refer this -https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/saml-sync-user-groups/m-p/275731 

     

    For the below example response, GroupMembership should be added as a value for groupMembershipAttribute in AEM SAML config.

    <!-- Group Memberships --> <saml:Attribute Name="GroupMembership"> <saml:AttributeValue xsi:type="xs:string">aem-authors</saml:AttributeValue> <saml:AttributeValue xsi:type="xs:string">aem-editors</saml:AttributeValue> <saml:AttributeValue xsi:type="xs:string">aem-administrators</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement>

     

      Mahedi_Sabuj
      Mahedi_Sabuj
      New Participant
      March 25, 2025

      Hi @sdusane,

      If multiple groups are not working as expected, you can create a new group and assign it as a member of both existing groups. In this way, any members added to the newly created group will inherit permissions and access from both original groups.

      Mahedi Sabuj
        arunpatidar
        arunpatidar
        New Participant
        March 25, 2025

        HI @sdusane 

        It should be list type

        Example : https://medium.com/@imrul001/comprehensive-guide-setting-up-saml-sso-between-keycloak-and-aem-0b134cdaac58 

         

        Mapper for groups (Group List): Employed the Group List mapper type for mapping group information, with the full group path disabled for simplicity.

        Arun Patidar
          Terms & ConditionsAccessibility statement

          Loading footer...