Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.

Different IDP Authentication for Internal vs External?

Avatar

Level 2

Hi all,

We have requirements for AEM that:

1) any internal network users get routed to our ADFS for SSO

2) any external network users get routed to a Cloud IDP for explicit username/password authentication (i.e. Okta)

Can this be configured or does this require customization?

I am presuming that some code is required to detect the users ip and compare against whitelists to determine if a user is accessing from the frim's internal network to then decide if the user should be routed to ADFS or Okta?

Thanks

5 Replies

Avatar

Level 4

Hi John,

You can:

1. Any internal user will access AEM using internal Instance URLs and will get default login screen. You can connect that with ADFs to get them logged in.

2. You can keep 2 different Login screen for internal/external users

3. You can create 1 custom auth handler where in you can check if user is exists as internal/external. Based on that you can redirect him to inetrnal/external IDPs

Hope this helps.

Regards,

Navin

Avatar

Level 9

Hi John,

You can configure AEM to both ADFS + OKta. The logic to decide which one among them based on domain needs to be taken care in component that renders the login link. 

Thanks,

Avatar

Level 2

Navin: Your 3. is not an option, when an internal person accesses the URL you won't even have a username for them so you can't check if they are internal/external. My requirement is to automatically authenticate internal users when they access the site.

I believe having 2 login pages may be the best approach

Avatar

Level 2

Is it possible to have separate login pages, each configured with their own authentication mechanism (ADFS/Okta?)

After the login I assume they both access the SAME AEM site content?, Does this have any implication on the "Logout" process?