Expand my Community achievements bar.

Learn about Edge Delivery Services in upcoming GEM session

Different IDP Authentication for Internal vs External?


Level 2

Hi all,

We have requirements for AEM that:

1) any internal network users get routed to our ADFS for SSO

2) any external network users get routed to a Cloud IDP for explicit username/password authentication (i.e. Okta)

Can this be configured or does this require customization?

I am presuming that some code is required to detect the users ip and compare against whitelists to determine if a user is accessing from the frim's internal network to then decide if the user should be routed to ADFS or Okta?


5 Replies


Level 4

Hi John,

You can:

1. Any internal user will access AEM using internal Instance URLs and will get default login screen. You can connect that with ADFs to get them logged in.

2. You can keep 2 different Login screen for internal/external users

3. You can create 1 custom auth handler where in you can check if user is exists as internal/external. Based on that you can redirect him to inetrnal/external IDPs

Hope this helps.




Level 9

Hi John,

You can configure AEM to both ADFS + OKta. The logic to decide which one among them based on domain needs to be taken care in component that renders the login link. 



Level 2

Navin: Your 3. is not an option, when an internal person accesses the URL you won't even have a username for them so you can't check if they are internal/external. My requirement is to automatically authenticate internal users when they access the site.

I believe having 2 login pages may be the best approach


Level 2

Is it possible to have separate login pages, each configured with their own authentication mechanism (ADFS/Okta?)

After the login I assume they both access the SAME AEM site content?, Does this have any implication on the "Logout" process?