Using AEM with Okta (with increased session duration)

Avatar

Avatar

johneuk84

Avatar

johneuk84

johneuk84

09-08-2018

Hello,

We want to integrate AEM with Okta.

However Okta has a short session time that we don't want to change, and we have a requirement for AEM to have a longer session time.

Therefore after authentication with Okta, we somehow need AEM to create its own session that will be valid for x days.

For the purposes of this explanation, Lets assume x=10 days.

After logging in, If the user returns to AEM within those 10 days, then they wouldn't have to login again, and the session would be extended for a further 10 days.

If however the 10 days expires, we would expect the user to have to re-authenticate via Okta.

Please note we have multiple publisher instances, so any solution would need to work irrespective of what publisher instance the user was processed on.

Any ideas?

Thanks

Replies

Avatar

Avatar

smacdonald2008

Total Posts

12.7K

Likes

1.4K

Correct Reply

2.3K
View profile

Avatar

smacdonald2008

Total Posts

12.7K

Likes

1.4K

Correct Reply

2.3K
View profile
smacdonald2008

09-08-2018

Have you read in AEM docs this is a supported use case?

Avatar

Avatar

johneuk84

Avatar

johneuk84

johneuk84

09-08-2018

Not specifically

I know Okta is a supported IDM, although my requirement needs to tailor the standard use case of Okta to essentially extend the AEM session (Perhaps by custom auth handlers?)

Looking advice

Thanks

Avatar

Avatar

smacdonald2008

Total Posts

12.7K

Likes

1.4K

Correct Reply

2.3K
View profile

Avatar

smacdonald2008

Total Posts

12.7K

Likes

1.4K

Correct Reply

2.3K
View profile
smacdonald2008

09-08-2018

See if these links help:

adobe AEM Saml URL

User Management - Authorization - OKTA and AEM

Avatar

Avatar

Endoriel

Avatar

Endoriel

Endoriel

09-08-2018

As far as I know once the user is authenticated with the IdP via the SAML request, in AEM you still get a token created and associated with the crx session. Every subsequent request is authenticated via the CRX Token Authentication Handler first before going to the SSO Handler unless you changed the JAAS rankings.

So you should be able to set the AEM session timeout via the Token Configuration and this can be different from Okta.

Since you mentioned this authentication happens on publish instances and you have multiple ones, you should look at configuring the encapsulated token support or sticky sessions in your load balancer.

I hope this helps!