Expand my Community achievements bar.

SOLVED

LDAP VS SAML user group sync

Avatar

Level 5
Level 5
10/15/15 7:29:12 PM

Discussing OOTB LDAP VS SAML authentication options - 

LDAP can sync authenticated user and its enterprise group in AEM repository so that entire  enterprise LDAP user groups synced into AEM for site authorization later based on groups?

SAML can sync authenticated user only to 1 user group configured in SAML Handler and additional user group needs to be created manually ?

Please let know which one works better for enterprise user group auto create in AEM , from my POV LDAP is the best option

Views

1.2K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 2
Level 2
10/15/15 7:29:12 PM

You can configure an LDAP Connection using the OSGi administration console. You can find the documentation here: http://docs.adobe.com/docs/cn/aem/6-0/administer/security/ldap-config.html

It allows LDAP users to authenticate on the system. During the first authentication the user is created as an AEM user in the system. You can even configure which properties from the LDAP user should be synchronized.

In OSGi you can use the JMX calls to sync all external LDAP users (at the moment only the 5.6.1 documentation is available): https://docs.adobe.com/docs/en/cq/5-6-1/core/administering/ldap_authentication.html

You can configure the LDAP Sync configuration to have LDAP groups which an LDAP user is member of synchronized/created in the AEM system. It's also possible to configure the "maximum depth of group nesting". At the moment (AEM 6.0) it's not possible OOTB to synchronize LDAP groups, you need to retrieve them via LDAP users.

 

Unfortunately I don't have any experience with SAML so I cannot provide any details, but you can find documentation pages online (example: https://docs.adobe.com/docs/en/cq/5-6-1/core/administering/saml-2-0-authenticationhandler.html or https://helpx.adobe.com/experience-manager/kb/saml-demo.html)

View solution in original post

Views

760

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
2 Replies

Avatar

Correct answer by
Level 2
Level 2
10/15/15 7:29:12 PM

You can configure an LDAP Connection using the OSGi administration console. You can find the documentation here: http://docs.adobe.com/docs/cn/aem/6-0/administer/security/ldap-config.html

It allows LDAP users to authenticate on the system. During the first authentication the user is created as an AEM user in the system. You can even configure which properties from the LDAP user should be synchronized.

In OSGi you can use the JMX calls to sync all external LDAP users (at the moment only the 5.6.1 documentation is available): https://docs.adobe.com/docs/en/cq/5-6-1/core/administering/ldap_authentication.html

You can configure the LDAP Sync configuration to have LDAP groups which an LDAP user is member of synchronized/created in the AEM system. It's also possible to configure the "maximum depth of group nesting". At the moment (AEM 6.0) it's not possible OOTB to synchronize LDAP groups, you need to retrieve them via LDAP users.

 

Unfortunately I don't have any experience with SAML so I cannot provide any details, but you can find documentation pages online (example: https://docs.adobe.com/docs/en/cq/5-6-1/core/administering/saml-2-0-authenticationhandler.html or https://helpx.adobe.com/experience-manager/kb/saml-demo.html)

Views

761

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 5
Level 5
10/15/15 7:29:12 PM

Please share your thoughts on this , quite urgent.

Views

787

Replies

0
Sign in to like this content

Total Likes

Translate
Translate