Level 2

Solved

AEM 6.0 Custom Authentication handler

Forum|Forum|10 years ago
October 16, 2015
17 replies
7773 views

Hi Need your suggestions :-)

We are doing an SSO implementation in AEM 6.0.

The customer have their home-grown login application. AEM (through Dispatcher ) will be protected by the Siteminder so any user request will be taken to their custom Login page and post-successful login the return request back to AEM will contain headers like user name and other group attributes etc..

Client do not want to integrate AEM with LDAP for any authentication from AEM side . The requirement is authenticate against AEM CRX repository based on the header attributes. If the user already exists in CRX, let the user login in AEM else create the user in CRX with a default password and also add to the groups based on the group attributes in the header variable.

In this scenario , my understanding is that we do not need any Custom Login Module as AEM not need to synchronize user authentication data from third party system but would need a Custom authentication Handler to authenticate against CRX ( in a custom way based on values retrieved the header ( user and group ) value ?

Can someone confirm this approach ? Anyone have suggestions on how to write and Integrate custom authentication handler in AEM 6.0 ( or Is this as simple as enabling SSO authentication handler ).

Thank you very much for suggestions and thoughts :-)

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Best answer by JustinEd3

I think you're correct - for this use case you need a custom authentication handler. The OOTB SSO handler could be used, but it depends upon the users already existing (or being creatable via LDAP or some other Login Module). But since you need to auto-create users based on the headers, you need to handle that in an authentication handler.

Are you sure you can't use SAMLv2? That would be significantly simpler (and is generally something which Siteminder does support).

Regards,

Justin

Show previous replies

nikrohit78

Thanks Navin, but we can not upgrade any infra.

Can SAML authentication help here? Can I assume when internal users will open their Internet Explorer (that is mostly they use), they will be logged in via SSO and hence when they type in application URL, request will land up to SAML authenticator?

J

JustinEd3

Adobe Employee

You should be able to do this without any customization in AEM by integrating AEM with ADFS via SAML. I don't know the details of how to configure domain authentication (which I think is what you are describing) in ADFS, but I suspect it is fairly straightforward.

FWIW, inside Adobe we do something similar, although we use Okta, not ADFS. Although we require MFA for most internal applications so even though I never enter a password when I'm on the corporate network, I have to accept a push message on my phone at least once a day (well, more because I'm using multiple browsers)

navinkaushal

Level 4

ADFS can be configured as Identity provider in existing SAML Server. Once that is done. User logged in through ADFs should be log in seamlessly.

nikrohit78

I agree, If configure SAML based authentication in AEM, internal users will be validated against ADFS (I am hoping they will not be asked for Username/password once logged into corporate network). But what happens to external customers who will in AEM and will not be authenticated from ADFS. They should be shown AEM login page.

Will they not be challenged by ADFS authentication page for credentials?

navinkaushal

Level 4

I believe not assuming you dont have ADFS is also configured for Authentication for internal users.

nikrohit78

ADFS is configured for internal user. Because internal users are in all corporate AD.

But the external users will be in AEM hence they will be shown AEM login page and will be authenticated by AEM.

navinkaushal

Level 4

Yes. External Users would not be able to access your AEM system as their permission i assume would be configured that way.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded