AEM 6.0 Custom Authentication handler | Community
Skip to main content
sunilrajp
sunilrajp
October 16, 2015
Solved

AEM 6.0 Custom Authentication handler

  • October 16, 2015
  • 17 replies
  • 7721 views

Hi Need your suggestions :-) 

 We are doing an SSO implementation in AEM 6.0.

The customer have their home-grown login application. AEM (through Dispatcher ) will be protected by the Siteminder so any user request will be taken to their custom Login page and post-successful login the  return request back to AEM will contain headers like user name and other group attributes etc..

Client do not want to integrate AEM with LDAP for any authentication from AEM side . The requirement is authenticate against AEM CRX repository based on the header attributes. If the user already exists in CRX, let the user login in AEM else create the user in CRX with a default password and also add to the groups based on the group attributes in the header variable.

In this scenario , my understanding is that we do not need any Custom Login Module as AEM not need to synchronize user authentication data from third party system but would need a Custom authentication Handler to authenticate  against CRX ( in a custom way based on values retrieved the header ( user and group ) value ?

Can someone confirm this approach ? Anyone have suggestions on how to write and Integrate custom authentication handler in AEM 6.0 ( or Is this as simple as enabling SSO authentication handler ).

Thank you very much for suggestions and thoughts :-) 

    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
    Best answer by JustinEd3

    I think you're correct - for this use case you need a custom authentication handler. The OOTB SSO handler could be used, but it depends upon the users already existing (or being creatable via LDAP or some other Login Module). But since you need to auto-create users based on the headers, you need to handle that in an authentication handler.

    Are you sure you can't use SAMLv2? That would be significantly simpler (and is generally something which Siteminder does support).

    Regards,

    Justin

    17 replies

    smacdonald2008
    smacdonald2008
    October 16, 2015

    In addition - the team is working on posting Justin's Ask the AEM Commumity Experts on this subject. It should be posted very soon. 

    Once it is posted - i will update this thread with this link. 

    sunilrajp
    sunilrajpAuthor
    October 16, 2015

    We were able to complete the POC successfully by creating a Custom Authentication Handler.Thank you Justin and Scott !

    hari_krishna_s1
    hari_krishna_s1
    October 16, 2015

    Hi Sunil, can you please share the code of custom authentication handler. My client has their own login details (not the ldap server) wants to login to AEM with the userid/pwd in the client system. When user login for first time it should create the user in AEM system

    sunilrajp
    sunilrajpAuthor
    October 16, 2015

    Hi Hari

     

    I  guess unlike in our case, it would need an  external identity provider in your case as you need to authenticate against a user repository outside AEM

     

    In our POC  all we required to do was to modify extractCredentials method to read username and password from headers . Pseudo code logic below . Please note it was only a POC to validate architecture and not a complete working solution

     

    public AuthenticationInfo extractCredentials(HttpServletRequest request,

                                     HttpServletResponse response) {

                                     log.info("*** My Custom Authentication Handler: CustomAuthenticationHandler extractCredentials ***");

                                     String uid = request.getHeader("username")

                                     String pwd = request.getHeader("pwd");

     

                                     AuthenticationInfo authInfo;

                                    createCQUsers(uid,grp);

                                     authInfo = new AuthenticationInfo(CustomAuthenticationHandler.AUTH_TYPE, uid, pwd.toCharArray());

                                     notAuthenticated=authInfo.isEmpty();

                                     return authInfo;

                    }

    private Session session;

                    private java.util.Iterator<Authorizable> users = null ;

                    @Reference

                    private ResourceResolverFactory resolverFactory;

                    public String createCQUsers(String uid,  String pwd)

               {

                     ResourceResolver resourceResolver = resolverFactory.getAdministrativeResourceResolver(null);

                    session = resourceResolver.adaptTo(Session.class);

                    UserManager userManager = ((JackrabbitSession) session).getUserManager();

                     users= userManager.findAuthorizables("jcr:primaryType", "rep:User");

                    User newuser = userManager.createUser(uid,pwd);

                     session.save();

                     

                    }

    hari_krishna_s1
    hari_krishna_s1
    October 16, 2015

    Thank you for the update Sunil. In my case also, i want to authenticate the users with SSO system. I mean when user passes credentials in AEM login screen, it should validate those against SSO and create the user into the system. I don't want to create users manually (because manual creation requires password to be read which is not good). Is there any way i can configure SSO authentication handler so that the credentials are validated and user will be created for first time in system. I have gone through the below link, doesn't have the full details

    http://docs.adobe.com/docs/en/aem/6-0/deploy/configuring/single-sign-on.html

    smacdonald2008
    smacdonald2008
    October 16, 2015

    If you think that the AEM doc topic  does not provide enough information to address your use case - please log a bug against the docs. In the bug report - please specify:

    1 - the URL

    2 - why you think there is a bug.

    3 - what information you think is missing. 

    Log a bug here: 

    https://helpx.adobe.com/marketing-cloud/contact-support.html

    J
    Adobe Employee
    JustinEd3Adobe EmployeeAccepted solution
    Adobe Employee
    October 16, 2015

    I think you're correct - for this use case you need a custom authentication handler. The OOTB SSO handler could be used, but it depends upon the users already existing (or being creatable via LDAP or some other Login Module). But since you need to auto-create users based on the headers, you need to handle that in an authentication handler.

    Are you sure you can't use SAMLv2? That would be significantly simpler (and is generally something which Siteminder does support).

    Regards,

    Justin

    navinkaushal
    navinkaushal
    April 24, 2017

    See if this helps you

    https://www.linkedin.com/pulse/creating-custom-authentication-handler-aem-cq5-navin-kaushal

      nikrohit78
      nikrohit78
      February 20, 2018

      Hi Justin,

      I have a similar Use Case but a little variation. Please see if you can help me by suggesting a solution.

      We have our internal users in ADFS and external users in AEM. The requirement is that when any internal user tries to access the application URL from office network, they should be directly authenticated from ADFS and land to the application (doesn't matter even if they don't exist in AEM repo).

      Whereas when external user tries to access the application URL (obviously from outside office network), they should be challenged with user credentials.

      Thanks

      navinkaushal
      navinkaushal
      February 27, 2018

      nikrohit78

      What you can do is

      Set up a Local SSO Server which uses your ADFS as Authentication provider. Once User logs in using your SSO he/she should be able to logg in seamlessly.

      Show more replies
      Terms & ConditionsAccessibility statement

      Loading footer...