Expand my Community achievements bar.

Submissions are now open for the 2026 Adobe Experience Maker Awards.
Apply Now
SOLVED

Encapsulated token mechanism is not working in AEM OIDC integration

Avatar

Level 6
Level 6
4/15/25 1:34:37 AM

Hi,

 

We are successfully doing OIDC integration with Azure on our AEM publisher instances.

In our current SAML setup, we use a high-wire load balancing mechanism with sticky sessions so that all requests for a user’s session are routed to the same publisher. This avoids re-authentication issues.

 

However, when we disable sticky sessions so that requests can go to different publisher instances, the user session isn’t available across all nodes and the user is prompted to log in on each request.

 

To handle this scenario, we enabled “Encapsulated Token,” which is meant to support stateless session management across publishers.

 

Unfortunately, upon enabling Encapsulated Token in our OIDC codebase, the user’s .token node is not being created, and the integration fails.

 

Any suggestions or idea.

 

 

Views

295

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
4/15/25 2:16:04 AM

Hi @akhilraj ,

All authentication handlers that synchronize users and rely on token authentication (like SAML & OAuth) will only work with encapsulated tokens if:

  • Sticky sessions are enabled, or

  • Users are already created in AEM when the synchronization starts. This means that encapsulated tokens will not be supported in situations where the handlers create users during the sync process.

Also, please check the log of and see if you find any clue from there.
If there is nothing that is pending from your end then raise an adobe support ticket to look after it.

 

 

-Tarun

View solution in original post

Views

273

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
1 Reply

Avatar

Correct answer by
Community Advisor
Community Advisor
4/15/25 2:16:04 AM

Hi @akhilraj ,

All authentication handlers that synchronize users and rely on token authentication (like SAML & OAuth) will only work with encapsulated tokens if:

  • Sticky sessions are enabled, or

  • Users are already created in AEM when the synchronization starts. This means that encapsulated tokens will not be supported in situations where the handlers create users during the sync process.

Also, please check the log of and see if you find any clue from there.
If there is nothing that is pending from your end then raise an adobe support ticket to look after it.

 

 

-Tarun

Views

274

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
SSL update in Cloud Manager

Views

283

Likes

0

Replies

3
How to Expose a Custom Resolver Field in Content Fragments for AEM GraphQL queries Without Editing the Fragment Model

Views

678

Likes

0

Replies

3
org,apache.sling.servlet-helpers Bundle is missing in the AEM version 6.5.21 system console

Views

96

Likes

0

Replies

5
AEM Cloud Folder Metadata Schema properties

Views

393

Likes

0

Replies

2
Adobe Core Bundle (cq-dam-cfm-graphql) Not Starting After Rolling Restart

Views

214

Likes

0

Replies

2