Documentation

Resolving authentication failures with Multiple Identity Providers in Adobe Experience Manager

Last update: Fri May 09 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

When integrating multiple Identity Providers (IDPs) into Adobe Experience Manager (AEM), users encounter authentication failures. These issues arise due to the use of non-unique principal names across different IDPs, leading to conflicts in AEM. To resolve these login problems, ensure each IDP uses unique principal names and manage user statuses appropriately.

Description description

Environment

Adobe Experience Manager (AEM)

Issue/Symptoms

  • The issue arises because the rep:principalName remains identical across different IDPs, preventing AEM from distinguishing between users logging in through various OAuth providers. This lack of differentiation results in login issues.

Technical details

  • In AEM, when a user logs in using an IDP, a user entry is created with attributes such as rep:principalName and rep:externalId. The rep:principalName represents the local user ID in AEM, while rep:externalIdlinks the user to the external IDP.
    • Example User Node in AEM:
{
  "jcr:primaryType": "rep:User",
  "jcr:mixinTypes": [ "rep:AccessControllable"] ,
  "jcr:createdBy": "",
  "jcr:created": "Date and Time",
  "rep:principalName": "unique_principal_name",
  "rep:lastSynced": "Date and Time",
  "jcr:uuid": "unique-identifier",
  "rep:externalId": "user@domain.com;idp_identifier",
  "rep:authorizableId": "unique_principal_name"
}

Resolution resolution

To resolve this issue:

  • Modify the mapUserId method in your OAuth provider implementation to append a unique identifier or prefix specific to each OAuth provider. This ensures that rep:principalName is unique for each provider, eliminating conflicts.
  • If a user logs in with a second IDP and the sync handler doesn’t match, the user may be disabled in AEM. This is indicated by the rep:disabled attribute:
{  "rep:disabled": "No longer exists on external identity provider 'idp_identifier'"}
  • Conduct thorough testing after implementing the changes to ensure successful logins with different IDPs. If issues persist, review the implementation and consider reopening the support ticket for further investigation.

For additional support or questions, please contact the Adobe support.

recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f