AEM offers developers the opportunity to implement their custom Authentication Handler with a full range of customization using the Sling Authentication APIs. To create a custom handler, we need to implement the AuthenticationHandler interface.
Why Create Custom Authentication?
There are many possible cases where users’ authentication could be necessary besides the default Form authentication on the default login page. Of course, we could create our login page, but we’ll be looking into different approaches to tackle additional requirements in this example.
The following scenario presents an interesting example. In an organization where no Sigle Sing-On (SSO) has been implemented, the requirement is to have our website running on AEM be accessible only for users already logged in into another internal web application via a direct link generated by this second application.
The idea here is that these users will never access the actual default login page or any other login page. One way for them to log in would be to use the already authenticated application’s link.
Solving The Problem With Custom Authentication Handler
A possible solution that we’ll be delving into here is to have the second application external to AEM and generate a user token, passed as a URL parameter in the link to our AEM website. We want users to be authenticated to access our website as well. After receiving and verifying the request, our custom authenticator would then forward the token to a web service endpoint where it will be confirmed, and then user details will be returned upon success. Subsequently, our custom authenticator will then sign the user if it has already been created in AEM. If not, it will create it on the fly and then sign it in.