Integrating AEM 6.5.21 on premise to Azure SSO groups

Hello AEM Community,

We have an AEM 6.5.21 setup (Author, Publish, Dispatcher) running in our digital platform to serve content. Today we’re using the default AEM user/group administration to provide access for developers and support teams. To improve security and streamline access management, we want to integrate Azure AD SSO and map Azure AD groups to AEM permissions.

We’re evaluating SAML 2.0 vs OIDC for best compatibility with AEM 6.5.21, and we’re looking for guidance from anyone who has implemented this in a similar architecture.

What we’ve explored so far

• Many available guides seem outdated.
• Our current draft approach is SAML: configure the TrustStore (certs) and set up the Adobe Granite SAML 2.0 Authentication Handler.

What we’re looking for

1. Recommended approach for AEM 6.5.21: SAML vs OIDC (pros/cons, supportability, common patterns).
2. Granular steps / configuration considerations for Azure AD SAML with AEM:
   • TrustStore / certificate handling
   • IdP metadata / SP configuration details that commonly trip people up
   • User provisioning / Just-In-Time provisioning patterns (if applicable)
   • Group/role mapping approaches (Azure AD group claims → AEM groups/ACLs)
3. Common pitfalls and operational challenges, especially with:
   • Author vs Publish (interactive vs headless/content delivery use cases)
   • Dispatcher interactions (login redirects, caching, invalidation concerns)
   • Session handling, logout, clock skew, certificate rollover, etc.

If anyone has recent documentation links, reference implementations, or lessons learned, please share.

Thanks!