Adobe Experience Manager Sites & More

varshsr · 10/15/15

Discussing OOTB LDAP VS SAML authentication options -

LDAP can sync authenticated user and its enterprise group in AEM repository so that entire enterprise LDAP user groups synced into AEM for site authorization later based on groups?

SAML can sync authenticated user only to 1 user group configured in SAML Handler and additional user group needs to be created manually ?

Please let know which one works better for enterprise user group auto create in AEM , from my POV LDAP is the best option

Andras_Fejer · 10/15/15

You can configure an LDAP Connection using the OSGi administration console. You can find the documentation here: http://docs.adobe.com/docs/cn/aem/6-0/administer/security/ldap-config.html

It allows LDAP users to authenticate on the system. During the first authentication the user is created as an AEM user in the system. You can even configure which properties from the LDAP user should be synchronized.

In OSGi you can use the JMX calls to sync all external LDAP users (at the moment only the 5.6.1 documentation is available): https://docs.adobe.com/docs/en/cq/5-6-1/core/administering/ldap_authentication.html

You can configure the LDAP Sync configuration to have LDAP groups which an LDAP user is member of synchronized/created in the AEM system. It's also possible to configure the "maximum depth of group nesting". At the moment (AEM 6.0) it's not possible OOTB to synchronize LDAP groups, you need to retrieve them via LDAP users.

Unfortunately I don't have any experience with SAML so I cannot provide any details, but you can find documentation pages online (example: https://docs.adobe.com/docs/en/cq/5-6-1/core/administering/saml-2-0-authenticationhandler.html or https://helpx.adobe.com/experience-manager/kb/saml-demo.html)

View solution in original post

Andras_Fejer · 10/15/15

You can configure an LDAP Connection using the OSGi administration console. You can find the documentation here: http://docs.adobe.com/docs/cn/aem/6-0/administer/security/ldap-config.html

It allows LDAP users to authenticate on the system. During the first authentication the user is created as an AEM user in the system. You can even configure which properties from the LDAP user should be synchronized.

In OSGi you can use the JMX calls to sync all external LDAP users (at the moment only the 5.6.1 documentation is available): https://docs.adobe.com/docs/en/cq/5-6-1/core/administering/ldap_authentication.html

You can configure the LDAP Sync configuration to have LDAP groups which an LDAP user is member of synchronized/created in the AEM system. It's also possible to configure the "maximum depth of group nesting". At the moment (AEM 6.0) it's not possible OOTB to synchronize LDAP groups, you need to retrieve them via LDAP users.

Unfortunately I don't have any experience with SAML so I cannot provide any details, but you can find documentation pages online (example: https://docs.adobe.com/docs/en/cq/5-6-1/core/administering/saml-2-0-authenticationhandler.html or https://helpx.adobe.com/experience-manager/kb/saml-demo.html)