IMS Support for Adobe Experience Manager as a Cloud Service

Last update: 2024-01-05

Introduction

  • AEM as a Cloud Service includes Admin Console support for AEM instances and Adobe Identity Management System (IMS for short) based authentication.
  • The Admin Console allows administrators to centrally manage all Experience Cloud users.
  • Users and Groups can be assigned to product profiles associated with an AEM as a Cloud Service instance, allowing them to log on to that instance.
TIP

See Configure Access to AEM for Administrators for an introduction to how users authenticate using Adobe IMS to AEM as a Cloud Service. Also learn how Adobe IMS Users, User Groups, and Product Profiles are used to control access to AEM and its features and functionalities. Adobe ID required.

Key Highlights

AEM as a Cloud Service offers IMS authentication support only for Author, Admin, and Dev users. It does not offer support for external end users of customer sites like site visitors.

  • The Admin Console represents customers as IMS Organizations, Author, and Publish Instances in an environment as Product Context Instances. This representation allows System and Product administrators to manage access to instances.
  • Product Profiles in the Admin Console determine which Instances that a user can access.
  • Customers can use their own SAML 2 compliant Identity Providers (IDP for short) for Single Sign On.
  • Only Enterprise or Federated IDs for customer Single Sign On are supported, no personal Adobe IDs.

Architecture

IMS Authentication works using OAuth protocol between AEM and the Adobe IMS endpoint. Once a user has been added to IMS and has an Adobe Identity, they can log in to AEM author service using IMS credentials.

The user logon flow is shown below, the user is redirected to IMS and optionally to the customer IDP for SSO and then redirected back to AEM.

IMS Architecture

How to Set Up

Onboarding Organizations to Adobe Admin Console

The customer onboarding to Adobe Admin Console is a prerequisite to using Adobe IMS for AEM authentication.

As the first step, customers must have an Organization provisioned in Adobe IMS. Adobe Enterprise customers are represented as IMS Organizations in the Adobe Admin Console. This area is the portal used by Adobe customers to manage their product entitlements for their users and groups.

AEM customers should already have an Organization provisioned, and as part of the IMS provisioning, the customer instances are made available in Admin Console for managing user entitlements and access.

After a customer exists as an IMS Organization, they have to configure their system as summarized in the following:

IMS Onboarding

  1. The designated System Administrator receives an invite to log in to Cloud Manager. After logging into Cloud manager, the System Administrators can choose to provision AEM programs and environments or navigate to Admin Console for Administrative tasks.
  2. The System Administrator claims a domain to confirm the ownership of the respective domain (for example, acme.com)
  3. The System Administrator sets up User Directories
  4. The System Administrator does IDP configuration in Admin Console to set up Single Sign On.
  5. The AEM Administrator manages the local groups and permissions and privileges as usual.

The Adobe Identity Management basics including IDP configuration are covered here.

Enterprise Administration and Admin Console usage is covered here.

Onboarding Users in Admin Console

There are three ways to onboard users. Each method depends on the size of the customer and their preference. You can manually create users in Admin Console, upload a .csv file, or sync users from the customer’s enterprise Active Directory.

Manual Addition through Admin Console UI

Users and Groups can be manually created in the Admin Console UI. This method can be used if you do not have many users to manage. For example, less than 50 AEM users, or if you are already using this method for administering other Adobe products like Analytics, Target or Creative Cloud applications.

User Onboarding

File Upload in Admin Console UI

For easy handling of user creation, a .csv file can be uploaded for adding users in bulk.

File Upload

User Sync Tool

User Sync Tool (UST in short) enables Adobe enterprise customers to create and manage Adobe users using Active Directory. This UST also works for other tested OpenLDAP directory services. The target users are IT Identity Administrators (Enterprise Directory or System Admins) who are able to install and configure the tool. The open-source tool is customizable so that customers that you modify it to suit your own particular requirements.

When User Sync runs, it fetches a list of users from the organization’s Active Directory and compares it with the list of users within the Admin Console. It then calls the Adobe User Management API so that the Admin Console is synchronized with the organization’s directory. The change flow is entirely one way. Any edits made in the Admin Console do not get pushed out to the directory.

The tool lets the system admin to map user groups in the customer’s directory with product configuration and user groups in the Admin Console.

To set up User Sync, the organization must create a set of credentials in the same way they would use the User Management API.

User Sync Tool

User Sync Tool is distributed through the Adobe GitHub repository at this location.

NOTE

A prerelease version 2.4RC1 is available with dynamic group creation support and can be found here.

The major features for this release are the ability to dynamically map new LDAP groups for user membership in the Admin Console, and dynamic user group creation.

More information about the new group features can be found at this location.

User Sync Documentation

See UST documentation for more details.

The User Sync Tool must register as an Adobe Developer client UMAPI using the procedure here.

Adobe Developer Console Documentation can be found here.

The User Management API that is used by the User Sync Tool is covered here.

Adobe Experience as a Cloud Service Configuration

NOTE

The AEM IMS configuration required is automatically configured when the AEM environments and instances are provisioned. However, the administrator may modify it as per their requirements using the method described here.

The AEM IMS configuration required is auto-configured when the AEM environments and instances are provisioned. Customer administrators may modify part of the configuration as per their requirements

The overall approach is to configure Adobe IMS as an OAuth provider. The Apache Jackrabbit Oak Default Sync Handler can be modified just like for LDAP synchronization.

Below are the key OSGI configurations that must be modified to change properties like User Auto Membership or Groups Mappings.

How to Use

Managing Products and User Access in Admin Console

When the Product Administrator logs on to Admin Console, they see multiple instances of the AEM as a Cloud Service Product Context, as shown below. For example, select any of the products from the Overview page:

Instances login

You see a list of existing instances:

Instances login2

Under each Product Context instance, there are instances spanning Author or Publish services across Production, Stage, or Development environments. Each instance is associated to Product Profiles or Cloud Manager roles. These product profiles are used for assigning access to Users and Groups with the required privileges.

The AEM Administrators_xxx profile is used to grant Administrator privileges in the associated AEM instance while the AEM Users_xxx profile is used to add regular users.

Any users and groups added under this product profile are able to log on to that instance as shown in the example below:

Product Profile

WARNING

Do not change the AEM Administrators product profile name. Changing the name of the AEM Administrators product profile removes administrator rights from all users assigned to that profile.

Logging into Adobe Experience Manager as a Cloud Service

Local Administrator Login

AEM can continue to support local logins for Admin users. The logon screen lets you log on locally:

Local Login

IMS Based Login

For other users, the IMS-based logon is used after IMS is configured on the instance. The user clicks the Sign-in with Adobe button as shown below:

IMS Login

NOTE

Any user created in IMS can be created using Adobe ID or Federated ID. If a user is setup using Federated ID, they are authenticated using their Company’s Identity Provider to log on.

They are redirected to the IMS logon screen and must enter their credentials:

IMS Login2

IMS Login3

If a federated IDP is configured during initial Admin Console setup, then the user is redirected to the customer IDP for SSO:

IMS Login4

After authentication is complete, the user is redirected back to AEM and logged in:

IMS Login5

Managing Permissions and ACLs in Adobe Experience Manager as a Cloud Service

The ACLs and permissions continue to be managed in AEM. The User Groups that are synced from IMS can be assigned to local groups where ACLs and privileges are defined.

In the example below, synced groups are added to the local Dam_Users group as an example.

The user is part of the following Groups in IMS:

ACL1

When the user logs in, their Group Memberships are synced, as shown below:

ACL2

In AEM, the User Groups synced from IMS can be added as members to existing local groups, like DAM Users.

ACL3

As shown below, the group AEM-GRP_008 inherits the permissions and privileges of DAM Users. This inheritance is an effective way of managing permissions for synced groups and is commonly used in the LDAP-based Authentication method.

ACL3

Accessing Cloud Manager

To be able to access Cloud Manager or to environments on AEM as a Cloud Service, you must be assigned to Profiles of the Cloud Manager Product.

See Role Definitions to learn more about roles for users which govern the availability of specific features in Cloud Manager.

NOTE

Cloud Manager has pre-configured roles with appropriate permissions. To learn about each of the roles with specific permissions, pre-configured tasks, or permissions, associated with each role, see Role-Based Permissions.

Steps for Adding a User

  1. Add a user to a particular profile either from an existing user’s screen or from a new user screen.

  2. Alternatively, you can also add a user from the Overview screen, as shown in the figure below.

    ACL3

    NOTE

    You can assign more than one profile to a user as shown in the figure below.

    ACL3

  3. Once you have been added to the appropriate profile, you should be able to access the respective tenants in Cloud Manager by way of Adobe Experience Cloud using the upper-right corner from the user interface.

Accessing an Instance in AEM as a Cloud Service

IMPORTANT

The steps mentioned in the preceding section must have already been completed before you are granted access to an instance in AEM as a Cloud Service.

To have access to an AEM instance within the Admin Console, you should see the Cloud Manager Program and the environments within the program in the product list on the Admin Console.

For example, in the screenshot below, you see two available environments namely dev author and a publish.

ACL3

To get access to AEM instances, the user must be added to a group of the appropriate Cloud Service Product.

Every author instance has an AEM Administrators and AEM Users Profile and every publish instance has an AEM Users Profile. You can add other profiles as needed.

To get admin level access to the AEM instance, add the user to the AEM Administrators Profile for that particular Product.

On this page