AEM 6.0 Custom Authentication handler | Community
Skip to main content
sunilrajp
sunilrajp
New Participant
October 16, 2015
Solved

AEM 6.0 Custom Authentication handler

  • October 16, 2015
  • 17 replies
  • 7721 views

Hi Need your suggestions :-) 

 We are doing an SSO implementation in AEM 6.0.

The customer have their home-grown login application. AEM (through Dispatcher ) will be protected by the Siteminder so any user request will be taken to their custom Login page and post-successful login the  return request back to AEM will contain headers like user name and other group attributes etc..

Client do not want to integrate AEM with LDAP for any authentication from AEM side . The requirement is authenticate against AEM CRX repository based on the header attributes. If the user already exists in CRX, let the user login in AEM else create the user in CRX with a default password and also add to the groups based on the group attributes in the header variable.

In this scenario , my understanding is that we do not need any Custom Login Module as AEM not need to synchronize user authentication data from third party system but would need a Custom authentication Handler to authenticate  against CRX ( in a custom way based on values retrieved the header ( user and group ) value ?

Can someone confirm this approach ? Anyone have suggestions on how to write and Integrate custom authentication handler in AEM 6.0 ( or Is this as simple as enabling SSO authentication handler ).

Thank you very much for suggestions and thoughts :-) 

    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
    Best answer by JustinEd3

    I think you're correct - for this use case you need a custom authentication handler. The OOTB SSO handler could be used, but it depends upon the users already existing (or being creatable via LDAP or some other Login Module). But since you need to auto-create users based on the headers, you need to handle that in an authentication handler.

    Are you sure you can't use SAMLv2? That would be significantly simpler (and is generally something which Siteminder does support).

    Regards,

    Justin

    17 replies

    navinkaushal
    navinkaushal
    New Participant
    February 28, 2018

    Yes. External Users would not be able to access your AEM system as their permission i assume would be configured that way.

    nikrohit78
    nikrohit78
    New Participant
    February 28, 2018

    ADFS is configured for internal user. Because internal users are in all corporate AD.

    But the external users will be in AEM hence they will be shown AEM login page and will be authenticated by AEM.

    navinkaushal
    navinkaushal
    New Participant
    February 28, 2018

    I believe not assuming you dont have ADFS is also configured for Authentication for internal users.

    nikrohit78
    nikrohit78
    New Participant
    February 28, 2018

    I agree, If configure SAML based authentication in AEM, internal users will be validated against ADFS (I am hoping they will not be asked for Username/password once logged into corporate network). But what happens to external customers who will in AEM and will not be authenticated from ADFS. They should be shown AEM login page.

    Will they not be challenged by ADFS authentication page for credentials?

    navinkaushal
    navinkaushal
    New Participant
    February 28, 2018

    ADFS can be configured as Identity provider in existing SAML Server. Once that is done. User logged in through ADFs should be log in seamlessly.

    J
    JustinEd3
    Employee
    February 27, 2018

    You should be able to do this without any customization in AEM by integrating AEM with ADFS via SAML. I don't know the details of how to configure domain authentication (which I think is what you are describing) in ADFS, but I suspect it is fairly straightforward.

    FWIW, inside Adobe we do something similar, although we use Okta, not ADFS. Although we require MFA for most internal applications so even though I never enter a password when I'm on the corporate network, I have to accept a push message on my phone at least once a day (well, more because I'm using multiple browsers)

    nikrohit78
    nikrohit78
    New Participant
    February 27, 2018

    Thanks Navin, but we can not upgrade any infra.

    Can SAML authentication help here? Can I assume when internal users will open their Internet Explorer (that is mostly they use), they will be logged in via SSO and hence when they type in application URL, request will land up to SAML authenticator?

    navinkaushal
    navinkaushal
    New Participant
    February 27, 2018

    nikrohit78

    What you can do is

    Set up a Local SSO Server which uses your ADFS as Authentication provider. Once User logs in using your SSO he/she should be able to logg in seamlessly.

    nikrohit78
    nikrohit78
    New Participant
    February 20, 2018

    Hi Justin,

    I have a similar Use Case but a little variation. Please see if you can help me by suggesting a solution.

    We have our internal users in ADFS and external users in AEM. The requirement is that when any internal user tries to access the application URL from office network, they should be directly authenticated from ADFS and land to the application (doesn't matter even if they don't exist in AEM repo).

    Whereas when external user tries to access the application URL (obviously from outside office network), they should be challenged with user credentials.

    Thanks

    navinkaushal
    navinkaushal
    New Participant
    April 24, 2017

    See if this helps you

    https://www.linkedin.com/pulse/creating-custom-authentication-handler-aem-cq5-navin-kaushal

      Show more replies
      Terms & ConditionsAccessibility statement

      Loading footer...