Adobe Experience Manager Sites & More

varshsr · 10/15/15

Please validate the below AEM LDAP Vs SAML vs custom login module authentication behaviour ,also provide any additional inputs

In case of LDAP authentication -

AEM provides this as JAAS login module and any LDAP user need not be present in AEM user node and can be directly mapped to LDAP role to AEM user groups which has a single user pre-created(for impersonation) and permissions can be applied to the authenticated user based on mapped groups ACL and end user need not be physically present in AEM .this can avoid publish node user information syncup overhead

In case of SAML authentication -

AEM provides this as an authentication handler and these authenticated users needs to be present in AEM user node which can be auto created as well and dynamically mapped to AEM user groups and permissions can be applied to the authenticated user only if the user is physically present in AEM

Custom Login Module

If LDAP and SAML still needs the user to be created in AEM user node will a custom login module? which can impersonate end user (after 3rd party /enterprise authentication) to the required pre created aem user group be the solution - to have minimal user data in AEM repo and avoid multiple publish sync up overheads

Overall we just want to maintain 20 user node mapped to 20 groups in AEM publish which will map to enterprise wide users in LDAP based on their roles etc or other consumer identity which holds more than 200K user profiles.

Nature of AEM publish is TarMK

smacdonald2008 · 10/15/15

Justin did a webinar on this topic:

https://helpx.adobe.com/experience-manager/using/secure_sites.html

See the link in the table at the start of the article.

varshsr · 10/15/15

it looks great , and more from the generic approaches taken for authentication and not much details on portal like authorization scenarios

here I am looking for more insights from an AEM publish TarMk perspective to support a 200K user scale with multiple groups to be authorized to view relevant content like an intranet/extranet portal and there is a possibility for the user to maintain his preferences/setting in AEM - which is a custom user generated content.

Please share idea's for above scenario and which suit better LDAP VS SAML VS Custom Login Module

- overall want the user to be authenticated based on LDAP or SAML

- do not maintain all the end user in AEM repository (200K users) but just maintain 20 user and their groups and impersonate to 200k accordingly

- which helps to use the AEM user admin UI with ease rather AEM user admin UI having impact to support 200K users

- to avoid AEM publish tarMk sync up for user id and move the user settings/preferences out of AEM publish so that publish can scale horizontal when required with no syncup between publish tarMK file systems and also avoid sticky connections

-try to achieve a intranet and extranet portal implementation using AEM (which is WCMS and depends on dispatcher cache for performance) , which is not the case for portal which has lot of authorization and dynamic pages

kautuk_sahni · 7/13/17

justin_at_adobe it would be nice to have your views here.

~kautuk

Kautuk Sahni

justin_at_adobe · 7/13/17

I'd suggest always using SAML. I think you'd be hard pressed to find an IDP on the market today which doesn't support SAML.

marjiay · 7/12/17

Hi there,

I'm currently facing the same dilemma whether to use SAML or custom login module or both. Just wondering whether you can shed some light on which approach you took and the high-level overview of the implementation step. Thanks in advance.

Adobe Experience Manager Sites & More

AEM LDAP VS SAML VS Custom Login Module

Kautuk Sahni

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe