Expand my Community achievements bar.

SOLVED

same url different end user authentication options

Avatar

Level 5

Assuming that AEM supports different types of authentication applied on to same homepage url

Say i have LDAP & SAML for the intranet & extranet sites and have same home page served via different dispatcher  i guess i can configure 

LDAP JAAS as a final login module & SAML handler as high priority so in this case first SAML will be used for authentication if it fails then fallback to LDAP

or alternatively should have 2 different url for home page 1 for intranet & 1 for extranet

if any additional options please share here.

1 Accepted Solution

Avatar

Correct answer by
Employee

Hi,

Would you have the intranet and internet site served from the same URL? Intranet site's tend to be internal and not accessible outside your firewall. So normally you would have two separate URL's. I have even seen customers that have separate AEM servers, so there is no chance of any internal content being accidentally being published to the internet site. 

If you used a single URL, you would then need to decide after authentication if the user should be redirected to the intra or internet site. Or they be asked to select which site they wish to gain access to?

Usually the the two sites would be on different content paths, with separate home pages, you could have a central home page on which the user selects which site they wish to access, but only if you are really going to expose your intranet beyond your firewall. 

Regards,

Opkar

View solution in original post

3 Replies

Avatar

Correct answer by
Employee

Hi,

Would you have the intranet and internet site served from the same URL? Intranet site's tend to be internal and not accessible outside your firewall. So normally you would have two separate URL's. I have even seen customers that have separate AEM servers, so there is no chance of any internal content being accidentally being published to the internet site. 

If you used a single URL, you would then need to decide after authentication if the user should be redirected to the intra or internet site. Or they be asked to select which site they wish to gain access to?

Usually the the two sites would be on different content paths, with separate home pages, you could have a central home page on which the user selects which site they wish to access, but only if you are really going to expose your intranet beyond your firewall. 

Regards,

Opkar

Avatar

Level 5

Thanks Opkar . I agree if teams setup  that way separately .Some times due to cost constraints there could be scenarios when the same page is served for both  intranet & internet with different dispatchers for intranet (inside firewall) & internet

But IDP not abstracting intranet & internet authentication - Which should be that best way

In Such cases can we have list of authentication mechanism combining OOTB SAML handler for internet & external login module (ldap) for intranet

so that same homepage url can allow authentication which ever is successful first 

example

for internet access on same page- first SAML handler will get invoked if that does not succeed the fall back to external login module (LDAP) if that also fails then error out

for intranet access on same page - SAML handler will get invoked it fails the fall back to external login module (LDAP) this is successful 

Also have you seen limits on syncing user in AEM repository either be it SAML or LDAP  - what is the MAX(N) user node support in OAK

Avatar

Employee

Hi,

I would keep it simple and have different URL's, you can map multiple domains on a single AEM instance using dispatcher[1]

There is no hard limit on the number of users that oak can handle, in previous versions I heard of customers that would implement a cleanup job to delete accounts created if the user had not logged in within a week.

Regards,

Opkar

[1] https://docs.adobe.com/docs/en/dispatcher/disp-domains.html