Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

Allow only authenticated users to access website pages

Avatar

Avatar
Boost 1
Level 1
baoyu_li
Level 1

Like

1 like

Total Posts

7 posts

Correct Reply

0 solutions
Top badges earned
Boost 1
View profile

Avatar
Boost 1
Level 1
baoyu_li
Level 1

Like

1 like

Total Posts

7 posts

Correct Reply

0 solutions
Top badges earned
Boost 1
View profile
baoyu_li
Level 1

06-05-2021

Hi all,

 

What is the best way to allow only authenticated users to access website pages?

The identity provider is an external system where users are stored, and authentication can be done via its API.

 

Any solution proposals that is not based on CUG(closed user group)?

Or if CUG has to be used, how can it work with an external IdP? 

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Validate 1
MVP
Umesh_Thakur
MVP

Likes

147 likes

Total Posts

157 posts

Correct Reply

53 solutions
Top badges earned
Validate 1
Applaud 25
Ignite 3
Ignite 1
Give Back 5
View profile

Avatar
Validate 1
MVP
Umesh_Thakur
MVP

Likes

147 likes

Total Posts

157 posts

Correct Reply

53 solutions
Top badges earned
Validate 1
Applaud 25
Ignite 3
Ignite 1
Give Back 5
View profile
Umesh_Thakur
MVP

06-05-2021

Yes you should use the form based authentication to make a API call with user credentials to the authorization provider to get the either session data or bearer token, whichever in your case.

But this is not the only thing you need to handle.

at the same time you need to handle Access level as well that you can decide based on the token and session data of the user,

In AEM we have lots of places where you need to manage user's private data and content and its caching so after any authorization you will have to set proper request and response header to properly cache the content on dispatcher and CDN level(if applicable).

 

So all these stuff needs to be considered before execution.

 

Hope this will help.

Umesh Thakur

Answers (2)

Answers (2)

Avatar

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,345 likes

Total Posts

3,220 posts

Correct Reply

914 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,345 likes

Total Posts

3,220 posts

Correct Reply

914 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile
Arun_Patidar
MVP

08-05-2021

Hi,

I think you should go for saml based solution and implement permission-sensitive caching to cache-protected pages.

Though we have implemented CUG based solution to protect the portal/pages using external IDP. let me know if you go for cug based solution. I can help.

Avatar

Avatar
Give Back 100
Level 10
asutosh_jena
Level 10

Likes

544 likes

Total Posts

663 posts

Correct Reply

190 solutions
Top badges earned
Give Back 100
Boost 500
Affirm 100
Ignite 1
Establish
View profile

Avatar
Give Back 100
Level 10
asutosh_jena
Level 10

Likes

544 likes

Total Posts

663 posts

Correct Reply

190 solutions
Top badges earned
Give Back 100
Boost 500
Affirm 100
Ignite 1
Establish
View profile
asutosh_jena
Level 10

06-05-2021

Hi @baoyu_li 

 

As you have mentioned the identity provider is an external system, you can go ahead with the form based authentication process if you have a login page.

 

Let's say you are using OKTA as the external system, then User will need to submit the form by providing the user details and you will need to call to OKTA API to authenticate the user.

Now OKTA will return a session token which you can encrypt in AEM using the crypto support and then store it in a cookie.

 

Post successful login, everytime user make any request you can check the session token if it's valid or not and if it;s valid, then allow to access the page, else redirect back to the login page or any error page based on the business requirement.

 

If the user is trying to tamper the cookie value also, it will ensure the user is not getting the content and will redirect back them to the login or error page. You can also implement the idle time error handling where if the user is inactive for certain period of time, you can logout the user by showing somekind of warning message "the user will be logged out in 10 sec due to inactivity" or so.

 

Thanks!