Alternatives to LDAP in AEM (With LDAP Retirement in 2026) – Compatible with On‑Premise and AEM as a Cloud Service?”

Hi ​@Kirthika 
 

Just to clarify something important here - LDAP as a protocol is not being retired. What is actually happening is that AEM 6.5 support is ending in August 2026, and this is what is driving the conversation around moving away from LDAP-based authentication. You can read the official Adobe release roadmap here https://experienceleague.adobe.com/en/docs/experience-manager-release-information/aem-release-updates/update-releases-roadmap

That said, it is still a very valid question because depending on where you are in your AEM journey, the answer is different.

If you are still on AEM 6.5

You can still use LDAP today - AEM 6.5 supports direct LDAP and Active Directory integration via Apache Jackrabbit Oak and that is not going anywhere until August 2026. However, after that date you will no longer receive security patches or bug fixes for those modules unless you have an extended support agreement with Adobe, which runs until February 2027. So if you are still on AEM 6.5, you should be actively planning your migration now rather than waiting for the deadline to hit.

If you are moving to AEMaaCS

This is where things change fundamentally. AEMaaCS does not support the traditional direct LDAP configuration where AEM talks directly to your on-premise LDAP server. That model is gone. Authentication in AEMaaCS is centralised through Adobe Identity Management System (IMS) and the Adobe Admin Console.  

What this means practically is

• Your Author tier authentication goes through Adobe IMS. If your organization has a corporate IDP sitting on top of your LDAP or Active Directory, like Okta, Azure AD, or Ping - you federate that IDP to Adobe IMS via SAML 2.0. Your users still log in with their corporate credentials, Adobe IMS just acts as the broker.
• Your Publish tier authentication is handled via SAML 2.0 directly, configured through OSGi and deployed via Cloud Manager. Adobe has good documentation on this here https://experienceleague.adobe.com/en/docs/experience-manager-learn/cloud-service/authentication/saml-2-0
• AEMaaCS also now supports OIDC (OpenID Connect) on the Publish tier. This is a relatively recent addition from Adobe and is worth knowing about if your organisation uses an OIDC-based IDP like Azure AD, Okta, or Auth0 - it means you can integrate directly without needing any custom implementation. You can read about it here https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/security/open-id-connect-support-for-aem-as-a-cloud-service-on-publish-tier.

Also, if you are dealing with a large user base, moving to IMS will significantly reduce the performance overhead that traditional LDAP sync often causes on AEM instances, which is a nice added benefit of the migration.

Hope this helps clarify things!

Thanks

Veena