AEM Single Sign On using OAuth 2 (AEM 6.1)

Avatar

Avatar

Sagar_Sane

Avatar

Sagar_Sane

Sagar_Sane

20-04-2017

Hello all,

I wanted to confirm this. I know AEM has out of the box support for Single Sign On using SAML (https://docs.adobe.com/docs/en/aem/6-2/deploy/configuring/single-sign-on.html). However, we have a requirement where the client prefers to use OAuth for Single Sign On instead of SAML.

Is that possible in AEM 6.1 (vanilla) Out of the box? Or would we have to implement a customer login module to do that?

Thank you.

Sagar Sane

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar

MC_Stuff

Avatar

MC_Stuff

MC_Stuff

20-04-2017

Hi Sagar,

Firstly oAuth is not sso,  though there are some similarities. Each Oauth & SSO are for different use case. 

AEM provide oAuth out of the box. On top of it  OOB face book integration, market cloud etc...   make use of that framework already.   Watch https://docs.adobe.com/ddc/en/gems/oauth-server-functionality-in-aem---embrace-federation-and-unlea.... for more details.

Thanks,

Answers (6)

Answers (6)

Avatar

Avatar

digarg

Employee

Avatar

digarg

Employee

digarg
Employee

17-10-2020

Hi @Sagar_Sane  : did you get any leads there ? any references?

Avatar

Avatar

davidm57823599

Avatar

davidm57823599

davidm57823599

13-10-2017

As a first configuration step it looks like you need to set up an OAUTH Granite Application and Provider configuration, using the Client ID and Provider ID created by your provider.   Then save the Granite OAUTH Authentication Handler to enable (just have to save it with no configuration change apparently (or add node info here I think).  https://aemcorner.com/adobe-granite-oauth-authentication-handler/

Avatar

Avatar

davidm57823599

Avatar

davidm57823599

davidm57823599

13-10-2017

Yes, I am looking for same - want to configure AEM on a particular node to use OAUTH provider (Okta OIDC) to provide single sign-on.

Avatar

Avatar

Sagar_Sane

Avatar

Sagar_Sane

Sagar_Sane

25-04-2017

Hi MC Stuff,

Okay thank you for your response. I'll take a look at it again.

I Appreciate the help!

Sincerely,

Sagar Sane

Avatar

Avatar

MC_Stuff

Avatar

MC_Stuff

MC_Stuff

25-04-2017

Hi Sagar,

    I have watched the presentation almost 10 times to get a solid understanding & antonia has confirmed have both server & client.   In fact location to configure client is [A].   If you have used adobe marketing cloud (AMC) AND aem Integration,  The AMC itself is using the oAuth Client.   Documentation needs major improvement in this area & reach out to official support channel for further detailed steps.    You can make use of Provider if needs additinal information to be passed during authorization process.     

[A]   http://host:port/libs/granite/oauth/content/clients.html

Thanks,

Avatar

Avatar

Sagar_Sane

Avatar

Sagar_Sane

Sagar_Sane

23-04-2017

Thanks MC Stuff!

Yes that makes sense to me. However, I did take look at the OAuth integration mentioned https://docs.adobe.com/ddc/en/gems/oauth-server-functionality-in-aem---embrace-federation-and-unlea....However, I think that shows OAuth Server support in AEM. I think if I have to simulate SSO behavior using OAuth, I think my need is to use AEM as an OAuth client instead. So an OAuth Client (AEM) -> OAuth Server (non-AEM) instead of OAuth Client (non-AEM) -> OAuth Server (AEM) .

To give a little more context -- the client has the below functionality on a non-AEM system today and wants to migrate it to AEM. They are essentially simulating single sign on (but not in its true sense) to protect a sub-tree in the system using OAuth based authorization system.

Below are the details -

- For a sub-domain or a sub-directory (i.e., something.example.com OR example.com/something) that maps to a landing page in the content tree (say /content/example/something/landing-page), if the user is not Authorized already, he should be taken to a Login Screen on an enterprise system that is a NetIQ system. 

- From there the user logs in using Corporate Credentials. The user is authenticated on the NetIQ system and it sends back an OAuth Token. AEM then validates that token and the user is then served the landing-page.

This example has a sample implementation of the OAuth Provider. Do you think this is the right approach for what I am trying to do?

Also, to clarify -- the use case for me is to use AEM as an OAuth client on the publish instances and not author instances.

Please let me know your thoughts.

Thanks,

Sagar Sane