Expand my Community achievements bar.

Join us in celebrating the outstanding achievement of our AEM Community Member of the Year!
SOLVED

Allow only authenticated users to access website pages

Avatar

Level 3

Hi all,

 

What is the best way to allow only authenticated users to access website pages?

The identity provider is an external system where users are stored, and authentication can be done via its API.

 

Any solution proposals that is not based on CUG(closed user group)?

Or if CUG has to be used, how can it work with an external IdP? 

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Yes you should use the form based authentication to make a API call with user credentials to the authorization provider to get the either session data or bearer token, whichever in your case.

But this is not the only thing you need to handle.

at the same time you need to handle Access level as well that you can decide based on the token and session data of the user,

In AEM we have lots of places where you need to manage user's private data and content and its caching so after any authorization you will have to set proper request and response header to properly cache the content on dispatcher and CDN level(if applicable).

 

So all these stuff needs to be considered before execution.

 

Hope this will help.

Umesh Thakur

View solution in original post

3 Replies

Avatar

Community Advisor

Hi @baoyu_li 

 

As you have mentioned the identity provider is an external system, you can go ahead with the form based authentication process if you have a login page.

 

Let's say you are using OKTA as the external system, then User will need to submit the form by providing the user details and you will need to call to OKTA API to authenticate the user.

Now OKTA will return a session token which you can encrypt in AEM using the crypto support and then store it in a cookie.

 

Post successful login, everytime user make any request you can check the session token if it's valid or not and if it;s valid, then allow to access the page, else redirect back to the login page or any error page based on the business requirement.

 

If the user is trying to tamper the cookie value also, it will ensure the user is not getting the content and will redirect back them to the login or error page. You can also implement the idle time error handling where if the user is inactive for certain period of time, you can logout the user by showing somekind of warning message "the user will be logged out in 10 sec due to inactivity" or so.

 

Thanks!

Avatar

Correct answer by
Community Advisor

Yes you should use the form based authentication to make a API call with user credentials to the authorization provider to get the either session data or bearer token, whichever in your case.

But this is not the only thing you need to handle.

at the same time you need to handle Access level as well that you can decide based on the token and session data of the user,

In AEM we have lots of places where you need to manage user's private data and content and its caching so after any authorization you will have to set proper request and response header to properly cache the content on dispatcher and CDN level(if applicable).

 

So all these stuff needs to be considered before execution.

 

Hope this will help.

Umesh Thakur

Avatar

Community Advisor

Hi,

I think you should go for saml based solution and implement permission-sensitive caching to cache-protected pages.

Though we have implemented CUG based solution to protect the portal/pages using external IDP. let me know if you go for cug based solution. I can help.



Arun Patidar