Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

Using AEM with Okta (with increased session duration)

Avatar

Avatar
Validate 1
Level 1
johneuk84
Level 1

Likes

3 likes

Total Posts

7 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
Boost 3
Boost 1
View profile

Avatar
Validate 1
Level 1
johneuk84
Level 1

Likes

3 likes

Total Posts

7 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
Boost 3
Boost 1
View profile
johneuk84
Level 1

09-08-2018

Hello,

We want to integrate AEM with Okta.

However Okta has a short session time that we don't want to change, and we have a requirement for AEM to have a longer session time.

Therefore after authentication with Okta, we somehow need AEM to create its own session that will be valid for x days.

For the purposes of this explanation, Lets assume x=10 days.

After logging in, If the user returns to AEM within those 10 days, then they wouldn't have to login again, and the session would be extended for a further 10 days.

If however the 10 days expires, we would expect the user to have to re-authenticate via Okta.

Please note we have multiple publisher instances, so any solution would need to work irrespective of what publisher instance the user was processed on.

Any ideas?

Thanks

Replies

Avatar

Avatar
Validate 25
Level 10
smacdonald2008
Level 10

Likes

1,409 likes

Total Posts

12,671 posts

Correct Reply

2,278 solutions
Top badges earned
Validate 25
Validate 10
Validate 1
Give back 900
Give back 600
View profile

Avatar
Validate 25
Level 10
smacdonald2008
Level 10

Likes

1,409 likes

Total Posts

12,671 posts

Correct Reply

2,278 solutions
Top badges earned
Validate 25
Validate 10
Validate 1
Give back 900
Give back 600
View profile
smacdonald2008
Level 10

09-08-2018

Have you read in AEM docs this is a supported use case?

Avatar

Avatar
Validate 1
Level 1
johneuk84
Level 1

Likes

3 likes

Total Posts

7 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
Boost 3
Boost 1
View profile

Avatar
Validate 1
Level 1
johneuk84
Level 1

Likes

3 likes

Total Posts

7 posts

Correct Reply

0 solutions
Top badges earned
Validate 1
Boost 3
Boost 1
View profile
johneuk84
Level 1

09-08-2018

Not specifically

I know Okta is a supported IDM, although my requirement needs to tailor the standard use case of Okta to essentially extend the AEM session (Perhaps by custom auth handlers?)

Looking advice

Thanks

Avatar

Avatar
Validate 25
Level 10
smacdonald2008
Level 10

Likes

1,409 likes

Total Posts

12,671 posts

Correct Reply

2,278 solutions
Top badges earned
Validate 25
Validate 10
Validate 1
Give back 900
Give back 600
View profile

Avatar
Validate 25
Level 10
smacdonald2008
Level 10

Likes

1,409 likes

Total Posts

12,671 posts

Correct Reply

2,278 solutions
Top badges earned
Validate 25
Validate 10
Validate 1
Give back 900
Give back 600
View profile
smacdonald2008
Level 10

09-08-2018

See if these links help:

adobe AEM Saml URL

User Management - Authorization - OKTA and AEM

Avatar

Avatar
Validate 1
Level 2
Endoriel
Level 2

Likes

7 likes

Total Posts

22 posts

Correct Reply

5 solutions
Top badges earned
Validate 1
Boost 5
Boost 3
Boost 1
Affirm 5
View profile

Avatar
Validate 1
Level 2
Endoriel
Level 2

Likes

7 likes

Total Posts

22 posts

Correct Reply

5 solutions
Top badges earned
Validate 1
Boost 5
Boost 3
Boost 1
Affirm 5
View profile
Endoriel
Level 2

09-08-2018

As far as I know once the user is authenticated with the IdP via the SAML request, in AEM you still get a token created and associated with the crx session. Every subsequent request is authenticated via the CRX Token Authentication Handler first before going to the SSO Handler unless you changed the JAAS rankings.

So you should be able to set the AEM session timeout via the Token Configuration and this can be different from Okta.

Since you mentioned this authentication happens on publish instances and you have multiple ones, you should look at configuring the encapsulated token support or sticky sessions in your load balancer.

I hope this helps!