We're planning to implement SSO via AEM's SAML 2.0 Handler with Ping IDP, so we can get users from our own active directory as well as allow them to log in to AEM.
On the other hand, we'd also like to integrate Asset Link for end users (our users have Enterprise IDs). From my understanding, this will require creating a unique user group with a list of Enterprise/Federated ID IMS users.
I've read a lot of articles out there, but I can't seem to answer one question: If Person A has logged in to AEM via SSO first and the user's been created automatically in AEM upon SSO login, then they've managed to log in to AEM via Asset Link -- which, I'm guessing, will result in creation of another Enterprise ID user of the same person from IMS. Can these user instances be combined into one single profile, or will these be separately managed (IMS user and SSO user)?
We're not planning to subscribe to AEM Managed Services yet, so we won't be using IMS based authentication for our users.
Solved! Go to Solution.
If you configure your SAML/IdP connection to use email address for the authorizable ID for the user profiles (i.e. not user IDs), then you *can* use the same user profile for Asset Link/IMS authentication. Asset Link/IMS authentication searches user profiles for a matching email address, if a profile with the email address is found (and it contains the proper configuration property for IMS; see note below) it will use that profile. If a profile cannot be found a new profile will be created in the /home/users/ims folder.
Alternatively, if the user profiles are created using Asset Link/IMS (in /home/users/ims folder) login the your your SAML configuration can use that same user profile for SAML/IdP authentication.
Note: If the user profile is created by the SAML/IdP authentication, the user profile will need to be modified (migrated) to support IMS authentication. AEM Customer Support has a tool (Groovy script) that can perform this user migration for existing profiles (that is profiles that were created by the SAML authentication handler). The user migration of profiles can be avoided if the profiles are created by the authentication handler in AEM for Asset Link/IMS when the user logs in; this is because the IMS authentication process creates the profiles to be compatible with IMS and SAML.
Said another way: If the user profiles are created by SAML they will need to be migrated to support IMS. If the user profiles are created by IMS they do not need to be migrated. So, you can avoid the migration process entirely if you have your users login from Asset Link/IMS (which creates the user profiles) before they login using SAML.
See "Update AEM user for Adobe Asset Link" at [1] for a discussion of this topic.
Cheers,
John
If you configure your SAML/IdP connection to use email address for the authorizable ID for the user profiles (i.e. not user IDs), then you *can* use the same user profile for Asset Link/IMS authentication. Asset Link/IMS authentication searches user profiles for a matching email address, if a profile with the email address is found (and it contains the proper configuration property for IMS; see note below) it will use that profile. If a profile cannot be found a new profile will be created in the /home/users/ims folder.
Alternatively, if the user profiles are created using Asset Link/IMS (in /home/users/ims folder) login the your your SAML configuration can use that same user profile for SAML/IdP authentication.
Note: If the user profile is created by the SAML/IdP authentication, the user profile will need to be modified (migrated) to support IMS authentication. AEM Customer Support has a tool (Groovy script) that can perform this user migration for existing profiles (that is profiles that were created by the SAML authentication handler). The user migration of profiles can be avoided if the profiles are created by the authentication handler in AEM for Asset Link/IMS when the user logs in; this is because the IMS authentication process creates the profiles to be compatible with IMS and SAML.
Said another way: If the user profiles are created by SAML they will need to be migrated to support IMS. If the user profiles are created by IMS they do not need to be migrated. So, you can avoid the migration process entirely if you have your users login from Asset Link/IMS (which creates the user profiles) before they login using SAML.
See "Update AEM user for Adobe Asset Link" at [1] for a discussion of this topic.
Cheers,
John