Expand my Community achievements bar.

SOLVED

AEM 6.0 Custom Authentication handler

Avatar

Level 2

Hi Need your suggestions :-) 

 We are doing an SSO implementation in AEM 6.0.

The customer have their home-grown login application. AEM (through Dispatcher ) will be protected by the Siteminder so any user request will be taken to their custom Login page and post-successful login the  return request back to AEM will contain headers like user name and other group attributes etc..

Client do not want to integrate AEM with LDAP for any authentication from AEM side . The requirement is authenticate against AEM CRX repository based on the header attributes. If the user already exists in CRX, let the user login in AEM else create the user in CRX with a default password and also add to the groups based on the group attributes in the header variable.

In this scenario , my understanding is that we do not need any Custom Login Module as AEM not need to synchronize user authentication data from third party system but would need a Custom authentication Handler to authenticate  against CRX ( in a custom way based on values retrieved the header ( user and group ) value ?

Can someone confirm this approach ? Anyone have suggestions on how to write and Integrate custom authentication handler in AEM 6.0 ( or Is this as simple as enabling SSO authentication handler ).

Thank you very much for suggestions and thoughts :-) 

1 Accepted Solution

Avatar

Correct answer by
Employee

I think you're correct - for this use case you need a custom authentication handler. The OOTB SSO handler could be used, but it depends upon the users already existing (or being creatable via LDAP or some other Login Module). But since you need to auto-create users based on the headers, you need to handle that in an authentication handler.

Are you sure you can't use SAMLv2? That would be significantly simpler (and is generally something which Siteminder does support).

Regards,

Justin

View solution in original post

17 Replies

Avatar

Correct answer by
Employee

I think you're correct - for this use case you need a custom authentication handler. The OOTB SSO handler could be used, but it depends upon the users already existing (or being creatable via LDAP or some other Login Module). But since you need to auto-create users based on the headers, you need to handle that in an authentication handler.

Are you sure you can't use SAMLv2? That would be significantly simpler (and is generally something which Siteminder does support).

Regards,

Justin

Avatar

Level 10

In addition - the team is working on posting Justin's Ask the AEM Commumity Experts on this subject. It should be posted very soon. 

Once it is posted - i will update this thread with this link. 

Avatar

Level 2

We were able to complete the POC successfully by creating a Custom Authentication Handler.Thank you Justin and Scott !

Avatar

Level 2

Hi Sunil, can you please share the code of custom authentication handler. My client has their own login details (not the ldap server) wants to login to AEM with the userid/pwd in the client system. When user login for first time it should create the user in AEM system

Avatar

Level 2

Hi Hari

 

I  guess unlike in our case, it would need an  external identity provider in your case as you need to authenticate against a user repository outside AEM

 

In our POC  all we required to do was to modify extractCredentials method to read username and password from headers . Pseudo code logic below . Please note it was only a POC to validate architecture and not a complete working solution

 

public AuthenticationInfo extractCredentials(HttpServletRequest request,

                                 HttpServletResponse response) {

                                 log.info("*** My Custom Authentication Handler: CustomAuthenticationHandler extractCredentials ***");

                                 String uid = request.getHeader("username")

                                 String pwd = request.getHeader("pwd");

 

                                 AuthenticationInfo authInfo;

                                createCQUsers(uid,grp);

                                 authInfo = new AuthenticationInfo(CustomAuthenticationHandler.AUTH_TYPE, uid, pwd.toCharArray());

                                 notAuthenticated=authInfo.isEmpty();

                                 return authInfo;

                }

private Session session;

                private java.util.Iterator<Authorizable> users = null ;

                @Reference

                private ResourceResolverFactory resolverFactory;

                public String createCQUsers(String uid,  String pwd)

           {

                 ResourceResolver resourceResolver = resolverFactory.getAdministrativeResourceResolver(null);

                session = resourceResolver.adaptTo(Session.class);

                UserManager userManager = ((JackrabbitSession) session).getUserManager();

                 users= userManager.findAuthorizables("jcr:primaryType", "rep:User");

                User newuser = userManager.createUser(uid,pwd);

                 session.save();

                 

                }

Avatar

Level 2

Thank you for the update Sunil. In my case also, i want to authenticate the users with SSO system. I mean when user passes credentials in AEM login screen, it should validate those against SSO and create the user into the system. I don't want to create users manually (because manual creation requires password to be read which is not good). Is there any way i can configure SSO authentication handler so that the credentials are validated and user will be created for first time in system. I have gone through the below link, doesn't have the full details

http://docs.adobe.com/docs/en/aem/6-0/deploy/configuring/single-sign-on.html

Avatar

Level 10

If you think that the AEM doc topic  does not provide enough information to address your use case - please log a bug against the docs. In the bug report - please specify:

1 - the URL

2 - why you think there is a bug.

3 - what information you think is missing. 

Log a bug here: 

https://helpx.adobe.com/marketing-cloud/contact-support.html

Avatar

Level 1

Hi Justin,

I have a similar Use Case but a little variation. Please see if you can help me by suggesting a solution.

We have our internal users in ADFS and external users in AEM. The requirement is that when any internal user tries to access the application URL from office network, they should be directly authenticated from ADFS and land to the application (doesn't matter even if they don't exist in AEM repo).

Whereas when external user tries to access the application URL (obviously from outside office network), they should be challenged with user credentials.

Thanks

Avatar

Level 4

nikrohit78

What you can do is

Set up a Local SSO Server which uses your ADFS as Authentication provider. Once User logs in using your SSO he/she should be able to logg in seamlessly.

Avatar

Level 1

Thanks Navin, but we can not upgrade any infra.

Can SAML authentication help here? Can I assume when internal users will open their Internet Explorer (that is mostly they use), they will be logged in via SSO and hence when they type in application URL, request will land up to SAML authenticator?

Avatar

Employee

You should be able to do this without any customization in AEM by integrating AEM with ADFS via SAML. I don't know the details of how to configure domain authentication (which I think is what you are describing) in ADFS, but I suspect it is fairly straightforward.

FWIW, inside Adobe we do something similar, although we use Okta, not ADFS. Although we require MFA for most internal applications so even though I never enter a password when I'm on the corporate network, I have to accept a push message on my phone at least once a day (well, more because I'm using multiple browsers)

Avatar

Level 4

ADFS can be configured as Identity provider in existing SAML Server. Once that is done. User logged in through ADFs should be log in seamlessly.

Avatar

Level 1

I agree, If configure SAML based authentication in AEM, internal users will be validated against ADFS (I am hoping they will not be asked for Username/password once logged into corporate network). But what happens to external customers who will in AEM and will not be authenticated from ADFS. They should be shown AEM login page.

Will they not be challenged by ADFS authentication page for credentials?

Avatar

Level 4

I believe not assuming you dont have ADFS is also configured for Authentication for internal users.

Avatar

Level 1

ADFS is configured for internal user. Because internal users are in all corporate AD.

But the external users will be in AEM hence they will be shown AEM login page and will be authenticated by AEM.

Avatar

Level 4

Yes. External Users would not be able to access your AEM system as their permission i assume would be configured that way.