Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

AEM Single Sign On using OAuth 2 (AEM 6.1)

Avatar

Level 2

Hello all,

I wanted to confirm this. I know AEM has out of the box support for Single Sign On using SAML (https://docs.adobe.com/docs/en/aem/6-2/deploy/configuring/single-sign-on.html). However, we have a requirement where the client prefers to use OAuth for Single Sign On instead of SAML.

Is that possible in AEM 6.1 (vanilla) Out of the box? Or would we have to implement a customer login module to do that?

Thank you.

Sagar Sane

1 Accepted Solution

Avatar

Correct answer by
Level 9

Hi Sagar,

Firstly oAuth is not sso,  though there are some similarities. Each Oauth & SSO are for different use case. 

AEM provide oAuth out of the box. On top of it  OOB face book integration, market cloud etc...   make use of that framework already.   Watch https://docs.adobe.com/ddc/en/gems/oauth-server-functionality-in-aem---embrace-federation-and-unlea.... for more details.

Thanks,

View solution in original post

7 Replies

Avatar

Correct answer by
Level 9

Hi Sagar,

Firstly oAuth is not sso,  though there are some similarities. Each Oauth & SSO are for different use case. 

AEM provide oAuth out of the box. On top of it  OOB face book integration, market cloud etc...   make use of that framework already.   Watch https://docs.adobe.com/ddc/en/gems/oauth-server-functionality-in-aem---embrace-federation-and-unlea.... for more details.

Thanks,

Avatar

Level 2

Thanks MC Stuff!

Yes that makes sense to me. However, I did take look at the OAuth integration mentioned https://docs.adobe.com/ddc/en/gems/oauth-server-functionality-in-aem---embrace-federation-and-unlea....However, I think that shows OAuth Server support in AEM. I think if I have to simulate SSO behavior using OAuth, I think my need is to use AEM as an OAuth client instead. So an OAuth Client (AEM) -> OAuth Server (non-AEM) instead of OAuth Client (non-AEM) -> OAuth Server (AEM) .

To give a little more context -- the client has the below functionality on a non-AEM system today and wants to migrate it to AEM. They are essentially simulating single sign on (but not in its true sense) to protect a sub-tree in the system using OAuth based authorization system.

Below are the details -

- For a sub-domain or a sub-directory (i.e., something.example.com OR example.com/something) that maps to a landing page in the content tree (say /content/example/something/landing-page), if the user is not Authorized already, he should be taken to a Login Screen on an enterprise system that is a NetIQ system. 

- From there the user logs in using Corporate Credentials. The user is authenticated on the NetIQ system and it sends back an OAuth Token. AEM then validates that token and the user is then served the landing-page.

This example has a sample implementation of the OAuth Provider. Do you think this is the right approach for what I am trying to do?

Also, to clarify -- the use case for me is to use AEM as an OAuth client on the publish instances and not author instances.

Please let me know your thoughts.

Thanks,

Sagar Sane

Avatar

Level 9

Hi Sagar,

    I have watched the presentation almost 10 times to get a solid understanding & antonia has confirmed have both server & client.   In fact location to configure client is [A].   If you have used adobe marketing cloud (AMC) AND aem Integration,  The AMC itself is using the oAuth Client.   Documentation needs major improvement in this area & reach out to official support channel for further detailed steps.    You can make use of Provider if needs additinal information to be passed during authorization process.     

[A]   http://host:port/libs/granite/oauth/content/clients.html

Thanks,

Avatar

Level 2

Hi MC Stuff,

Okay thank you for your response. I'll take a look at it again.

I Appreciate the help!

Sincerely,

Sagar Sane

Avatar

Level 1

Yes, I am looking for same - want to configure AEM on a particular node to use OAUTH provider (Okta OIDC) to provide single sign-on.

Avatar

Level 1

As a first configuration step it looks like you need to set up an OAUTH Granite Application and Provider configuration, using the Client ID and Provider ID created by your provider.   Then save the Granite OAUTH Authentication Handler to enable (just have to save it with no configuration change apparently (or add node info here I think).  https://aemcorner.com/adobe-granite-oauth-authentication-handler/

Avatar

Employee

Hi @Sagar_Sane  : did you get any leads there ? any references?