Expand my Community achievements bar.

Submissions are now open for the 2026 Adobe Experience Maker Awards.
Apply Now

SSO Tokens storage and passing

Avatar

Level 8
Level 8
7/25/25 11:59:06 PM

Hi all,

 

Let us say my site is integrated with SSO IDP Okta.

 

When use logs in, IDP's login page appears and IDP collects user id and password.

IDP authenticates and sends only token to AEM.

1. From then for each of the requests from that client how the token is utilized?

2. Where is the token stored or passed?

3. How is the token mapped to the user?

 

For that user AEM/IDP should not ask for user name and password.

 

Appreciate all your responses,

 

Thanks,

RK.

Views

339

Replies

5
Sign in to like this content

Total Likes

Translate
Translate
5 Replies

Avatar

Community Advisor and Adobe Champion
Community Advisor and Adobe Champion
7/29/25 8:22:27 PM

Hi RK,


Once Okta authenticates the user, AEM only uses the token during that initial handshake. After that, AEM creates its own session and sets a secure login-token cookie in the browser.

That cookie is sent with every request, so AEM knows the user is logged in — no need to go back to Okta each time.

The SAML/OIDC token from Okta usually carries attributes like username or groups, which AEM maps to a local user (created on the fly if needed).

So in short:

  1. Okta handles the login once.
  2. AEM uses its own session cookie afterward.
  3. User mapping comes from the attributes in the token.

Views

298

Replies

4
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 8
Level 8
7/30/25 5:50:03 AM
In response to BrianKasingli

Thanks @BrianKasingli 

 

This reply is really helpful.

What if the user blocks cookies?

 

Of course this query is valid for normal AEM Authentication also (without an IDP).

Here also I guess AEM session is cookie based.

 

Thanks,

RK.

Views

287

Replies

3
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor and Adobe Champion
Community Advisor and Adobe Champion
7/30/25 9:15:21 AM
In response to nsvsrk

Hey RK,

AEM relies on a cookie (login-token) to keep a user logged in, whether the login comes through Okta SSO or directly with AEM credentials. If a user blocks cookies, AEM can still process the initial login, but every new request will look like a fresh session because there’s no cookie to prove the user is authenticated. That means the user will be asked to log in again and again.

AEM authentication is cookie‑based, and blocking cookies prevents a persistent login session. This applies both with an IDP like Okta and with AEM’s native login.

Views

277

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 8
Level 8
7/30/25 8:34:31 PM
In response to BrianKasingli

Thanks @BrianKasingli .

 

Now this subject is very clear to me.

No amount of appreciation is enough to describe my gratitude.

 

Unfortunately, I do not find the button to mark this as Correct answer.

 

Thanks,

RK.

Views

264

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor and Adobe Champion
Community Advisor and Adobe Champion
7/30/25 9:56:58 PM
In response to nsvsrk

Thats okay, thank you for trying to mark the correct answer 🙂

Views

253

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Granite UI Time Field in AEM Dialog: How to Include Seconds Along with Hours and Minutes

Views

1.1K

Likes

0

Replies

5
Issue in page move live copy - AEM 6.5 and AEM Cloud

Views

294

Likes

0

Replies

2
Renewing your Adobe Experience Manager certification is faster and simpler than ever

Views

324

Likes

2

Replies

0
How Modern Digital Asset Management Can Change Your Business: AI tagging, intelligent search, and content recommendations

Views

432

Likes

0

Replies

0
I want to know how to set up the SAML certificate file in the Publish tier and Preview tier.

Views

520

Likes

0

Replies

3