same url different end user authentication options | Community
Skip to main content
varshsr
varshsr
Level 5
October 16, 2015
Solved

same url different end user authentication options

  • October 16, 2015
  • 3 replies
  • 923 views

Assuming that AEM supports different types of authentication applied on to same homepage url

Say i have LDAP & SAML for the intranet & extranet sites and have same home page served via different dispatcher  i guess i can configure 

LDAP JAAS as a final login module & SAML handler as high priority so in this case first SAML will be used for authentication if it fails then fallback to LDAP

or alternatively should have 2 different url for home page 1 for intranet & 1 for extranet

if any additional options please share here.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by ogill

Hi,

Would you have the intranet and internet site served from the same URL? Intranet site's tend to be internal and not accessible outside your firewall. So normally you would have two separate URL's. I have even seen customers that have separate AEM servers, so there is no chance of any internal content being accidentally being published to the internet site. 

If you used a single URL, you would then need to decide after authentication if the user should be redirected to the intra or internet site. Or they be asked to select which site they wish to gain access to?

Usually the the two sites would be on different content paths, with separate home pages, you could have a central home page on which the user selects which site they wish to access, but only if you are really going to expose your intranet beyond your firewall. 

Regards,

Opkar

3 replies

O
Adobe Employee
ogillAdobe EmployeeAccepted solution
Adobe Employee
October 16, 2015

Hi,

Would you have the intranet and internet site served from the same URL? Intranet site's tend to be internal and not accessible outside your firewall. So normally you would have two separate URL's. I have even seen customers that have separate AEM servers, so there is no chance of any internal content being accidentally being published to the internet site. 

If you used a single URL, you would then need to decide after authentication if the user should be redirected to the intra or internet site. Or they be asked to select which site they wish to gain access to?

Usually the the two sites would be on different content paths, with separate home pages, you could have a central home page on which the user selects which site they wish to access, but only if you are really going to expose your intranet beyond your firewall. 

Regards,

Opkar

varshsr
varshsrAuthor
Level 5
October 16, 2015

Thanks Opkar . I agree if teams setup  that way separately .Some times due to cost constraints there could be scenarios when the same page is served for both  intranet & internet with different dispatchers for intranet (inside firewall) & internet

But IDP not abstracting intranet & internet authentication - Which should be that best way

In Such cases can we have list of authentication mechanism combining OOTB SAML handler for internet & external login module (ldap) for intranet

so that same homepage url can allow authentication which ever is successful first 

example

for internet access on same page- first SAML handler will get invoked if that does not succeed the fall back to external login module (LDAP) if that also fails then error out

for intranet access on same page - SAML handler will get invoked it fails the fall back to external login module (LDAP) this is successful 

Also have you seen limits on syncing user in AEM repository either be it SAML or LDAP  - what is the MAX(N) user node support in OAK

O
Adobe Employee
ogillAdobe Employee
Adobe Employee
October 16, 2015

Hi,

I would keep it simple and have different URL's, you can map multiple domains on a single AEM instance using dispatcher[1]

There is no hard limit on the number of users that oak can handle, in previous versions I heard of customers that would implement a cleanup job to delete accounts created if the user had not logged in within a week.

Regards,

Opkar

[1] https://docs.adobe.com/docs/en/dispatcher/disp-domains.html

Terms & ConditionsAccessibility statement

Loading footer...