AEM Single Sign On using OAuth 2 (AEM 6.1)

Sagar_Sane

20-04-2017

Hello all,

I wanted to confirm this. I know AEM has out of the box support for Single Sign On using SAML (https://docs.adobe.com/docs/en/aem/6-2/deploy/configuring/single-sign-on.html). However, we have a requirement where the client prefers to use OAuth for Single Sign On instead of SAML.

Is that possible in AEM 6.1 (vanilla) Out of the box? Or would we have to implement a customer login module to do that?

Thank you.

Sagar Sane

Accepted Solutions (1)

Accepted Solutions (1)

MC_Stuff

20-04-2017

Hi Sagar,

Firstly oAuth is not sso,  though there are some similarities. Each Oauth & SSO are for different use case. 

AEM provide oAuth out of the box. On top of it  OOB face book integration, market cloud etc...   make use of that framework already.   Watch https://docs.adobe.com/ddc/en/gems/oauth-server-functionality-in-aem---embrace-federation-and-unlea.... for more details.

Thanks,

Answers (6)

Answers (6)

davidm57823599

13-10-2017

As a first configuration step it looks like you need to set up an OAUTH Granite Application and Provider configuration, using the Client ID and Provider ID created by your provider.   Then save the Granite OAUTH Authentication Handler to enable (just have to save it with no configuration change apparently (or add node info here I think).  https://aemcorner.com/adobe-granite-oauth-authentication-handler/

MC_Stuff

25-04-2017

Hi Sagar,

    I have watched the presentation almost 10 times to get a solid understanding & antonia has confirmed have both server & client.   In fact location to configure client is [A].   If you have used adobe marketing cloud (AMC) AND aem Integration,  The AMC itself is using the oAuth Client.   Documentation needs major improvement in this area & reach out to official support channel for further detailed steps.    You can make use of Provider if needs additinal information to be passed during authorization process.     

[A]   http://host:port/libs/granite/oauth/content/clients.html

Thanks,

Sagar_Sane

23-04-2017

Thanks MC Stuff!

Yes that makes sense to me. However, I did take look at the OAuth integration mentioned https://docs.adobe.com/ddc/en/gems/oauth-server-functionality-in-aem---embrace-federation-and-unlea....However, I think that shows OAuth Server support in AEM. I think if I have to simulate SSO behavior using OAuth, I think my need is to use AEM as an OAuth client instead. So an OAuth Client (AEM) -> OAuth Server (non-AEM) instead of OAuth Client (non-AEM) -> OAuth Server (AEM) .

To give a little more context -- the client has the below functionality on a non-AEM system today and wants to migrate it to AEM. They are essentially simulating single sign on (but not in its true sense) to protect a sub-tree in the system using OAuth based authorization system.

Below are the details -

- For a sub-domain or a sub-directory (i.e., something.example.com OR example.com/something) that maps to a landing page in the content tree (say /content/example/something/landing-page), if the user is not Authorized already, he should be taken to a Login Screen on an enterprise system that is a NetIQ system. 

- From there the user logs in using Corporate Credentials. The user is authenticated on the NetIQ system and it sends back an OAuth Token. AEM then validates that token and the user is then served the landing-page.

This example has a sample implementation of the OAuth Provider. Do you think this is the right approach for what I am trying to do?

Also, to clarify -- the use case for me is to use AEM as an OAuth client on the publish instances and not author instances.

Please let me know your thoughts.

Thanks,

Sagar Sane