Integrating AEM 6.5.21 on premise to Azure SSO groups | Community
Skip to main content
P
Pavan_KumarTi
Level 2
January 26, 2026
Solved

Integrating AEM 6.5.21 on premise to Azure SSO groups

  • January 26, 2026
  • 2 replies
  • 58 views

Hello AEM Community,

We have an AEM 6.5.21 setup (Author, Publish, Dispatcher) running in our digital platform to serve content. Today we’re using the default AEM user/group administration to provide access for developers and support teams. To improve security and streamline access management, we want to integrate Azure AD SSO and map Azure AD groups to AEM permissions.

We’re evaluating SAML 2.0 vs OIDC for best compatibility with AEM 6.5.21, and we’re looking for guidance from anyone who has implemented this in a similar architecture.

What we’ve explored so far

  • Many available guides seem outdated.
  • Our current draft approach is SAML: configure the TrustStore (certs) and set up the Adobe Granite SAML 2.0 Authentication Handler.

What we’re looking for

  1. Recommended approach for AEM 6.5.21: SAML vs OIDC (pros/cons, supportability, common patterns).
  2. Granular steps / configuration considerations for Azure AD SAML with AEM:
    • TrustStore / certificate handling
    • IdP metadata / SP configuration details that commonly trip people up
    • User provisioning / Just-In-Time provisioning patterns (if applicable)
    • Group/role mapping approaches (Azure AD group claims → AEM groups/ACLs)
  3. Common pitfalls and operational challenges, especially with:
    • Author vs Publish (interactive vs headless/content delivery use cases)
    • Dispatcher interactions (login redirects, caching, invalidation concerns)
    • Session handling, logout, clock skew, certificate rollover, etc.

If anyone has recent documentation links, reference implementations, or lessons learned, please share.

Thanks!

    Best answer by lukasz-m

    Hi ​@Pavan_KumarTi,

    I do not think OIDC is available on AEM 6.5, which means SAML would be the way to go.

    Regarding configuration, I have always followed official documentation:

    Additionally in case you would like to configure SAML on publish as well, combined with gated content, you should consider to configure user synchronization as well.

    2 replies

    kautuk_sahni
    Community Manager
    kautuk_sahniCommunity Manager
    Community Manager
    February 2, 2026

    @Asutosh_Jena_ ​@lukasz-m ​@DEBAL_DAS ​@ArpitVarshney ​@Vaibhavi_J ​@Imran Khan ​@Siva_Sogalapalli ​@Anmol_Bhardwaj ​@Sady_Rifat Tagging you to see if you might want to share any best practices or insights on this topic. Your expertise would be greatly appreciated, thank you!

     

     

    Kautuk Sahni
    lukasz-m
    Community Advisor
    lukasz-mCommunity AdvisorAccepted solution
    Community Advisor
    February 3, 2026

    Hi ​@Pavan_KumarTi,

    I do not think OIDC is available on AEM 6.5, which means SAML would be the way to go.

    Regarding configuration, I have always followed official documentation:

    Additionally in case you would like to configure SAML on publish as well, combined with gated content, you should consider to configure user synchronization as well.

      P
      Pavan_KumarTiAuthor
      Level 2
      February 12, 2026

      Thanks a lot for sharing your insights ​@lukasz-m , just wanted to undertand if there would be any possibility for us to manage the user permissions as well in this mechanism, like if we need set of users to be admins, set to be not - can we manage in the SAML or should we need to add multiple AD groups for this ?

      Also would like to understnad if there is an mechanism in AEM to clean out users from useradmin after logout, or after being inactive for some days ?

       

      Terms & ConditionsAccessibility statement

      Loading footer...