Adobe Experience Manager Sites & More

KelvinShah · 3/8/23

We have 3 AEM instances with different authentication methods. The instance using ActiveDirectory/LDAP will be moved to Okta. It's my understanding that once the profile attributes are mapped between AEM and Okta, AEM will create new profiles once the user authenticates. If this is true, how does one go about retaining the existing user groups and permissions?

TarunKumar · 3/9/23

Hi @KelvinShah ,

So Okta is a identity provider and in order to implement SSO, I guess you you must be using SAML or Authentication Handler. In web console Adobe Granite SAML 2.0 Authentication Handler you can manage several configuration related to SAML.
Here you can also configure that after successful authentication whether or not to automatically create non-existing users in the repository. So, I believe existing user will remain as it is, but for safer side you can try to simulate the behavior on any lower environment before moving to higher env.
Hope this help!

View solution in original post

TarunKumar · 3/9/23

Hi @KelvinShah ,

So Okta is a identity provider and in order to implement SSO, I guess you you must be using SAML or Authentication Handler. In web console Adobe Granite SAML 2.0 Authentication Handler you can manage several configuration related to SAML.
Here you can also configure that after successful authentication whether or not to automatically create non-existing users in the repository. So, I believe existing user will remain as it is, but for safer side you can try to simulate the behavior on any lower environment before moving to higher env.
Hope this help!