DocumentationExperience Cloud KCS

Enabling MFA for AEM Author login through Adobe IMS or an external identity provider

Last update: June 27, 2026

AEM doesn’t provide native Multi-Factor Authentication (MFA) for local usernames and passwords, which is the source of most confusion in MFA requests. MFA is supported only when authentication is delegated to Adobe IMS or an external Identity Provider (IdP) such as Okta, Azure AD, or any SAML/OIDC provider that enforces it, because the AEM login screen itself contains no MFA logic. The challenge has to happen before AEM receives the authentication, so local accounts — which bypass external IdPs — have no enforcement mechanism. Determining the authentication model and enabling MFA at the IMS or IdP layer delivers enforced MFA for AEM Author login.

Description description

Issue: MFA can’t be enabled directly on AEM Author login or for local AEM accounts

Description

Customers request MFA on AEM Author login pages for security compliance, and confusion arises among several distinct paths: Adobe IMS MFA, IdP-based MFA for Federated IDs, Adobe ID optional two-step verification, unsupported MFA for local AEM users, and custom MFA integrations such as AEM Forms JEE OTP or custom authentication handlers. These requests occur across AEMaaCS, AMS 6.5, and AEM Forms JEE. AEM’s login screen doesn’t implement MFA logic, so the challenge must occur before AEM receives authentication.

Environment:

  • Adobe Experience Manager as a Cloud Service (AEMaaCS)
  • AEM Managed Services (AMS 6.5)
  • AEM Forms JEE
  • Adobe IMS and external SAML/OIDC identity providers

Issue/Symptoms:

  • Customer requests enabling MFA on AEM Author login for all users.
  • Customer requests MFA for local or non-SSO accounts, which AEM doesn’t support out of the box.

Root cause:

AEM’s login screen doesn’t implement MFA logic. MFA must occur before AEM receives authentication, either via Adobe IMS or a Federated SAML/OIDC IdP that enforces it. Local AEM accounts bypass external IdPs and therefore have no MFA enforcement mechanism.

How to confirm

  1. Determine your authentication model by confirming whether users authenticate via Adobe IMS, Federated SSO (SAML/OIDC), or local AEM accounts:

    • AEMaaCS always uses IMS (Adobe ID, Business ID, or Federated ID).
    • AMS 6.5 uses IMS, SAML, LDAP, or local accounts.
    • AEM Forms JEE can additionally implement custom OTP via OpenAPI.

  2. Categorize your user groups into Federated ID users, Adobe ID users, or local AEM users, then validate by reviewing the login screen behavior (IMS versus local).

Resolution resolution

  1. For Adobe IMS authentication, enable MFA via the Admin Console. Go to adminconsole.adobe.com → Settings → Privacy and security → Authentication System and enable MFA enforcement for your user directory. Log out, log back in with a Federated ID, and confirm the MFA challenge appears from the IdP.

  2. For Federated ID (SSO) users, configure MFA directly in your IdP. Implement mandatory MFA in the IdP’s conditional access policy so the IdP prompts for MFA before issuing the SAML/OIDC token to AEM. Test login from a user matching the policy. If the challenge doesn’t appear, check the IdP access logs and confirm the SAML Assertion Consumer URLs match your AEM environment hostnames.

  3. Understand Adobe ID MFA limitations for external users. Adobe ID MFA is optional and can’t be enforced globally. External agency users can independently enable two-step verification on their Adobe ID account page. If enforcement is required, use Federated IDs instead of Adobe IDs.

  4. For local AEM users, clarify that MFA isn’t supported out of the box. Local accounts must be migrated to SSO/IMS for MFA enforcement. Check whether any local accounts still exist under /useradmin and plan a migration path for them.

  5. For AEM Forms JEE customers requiring SMS-OTP MFA, configure a third-party SMS integration:

    • Choose an SMS provider and obtain the API credentials.
    • Create an OpenAPI/Swagger 2.0 file describing the OTP send and verify endpoints.
    • Integrate using AEM Forms data integration with OpenAPI.
    • Configure the HTML Workspace login to trigger the OTP call.

Perform a mobile HTML Workspace login and confirm SMS delivery.
6. For custom MFA workflows on the AEM login page (AEMaaCS or AMS), note that this requires a custom authentication handler. Adobe Support doesn’t implement or debug custom handlers, so engage Adobe Consulting or a partner for this work.

Validation

  1. Confirm IMS or IdP-based MFA triggers before AEM session creation.
  2. Attempt login with a non-MFA-enabled user and confirm access is blocked per policy.
  3. For Forms JEE SMS OTP, confirm the OTP logs show a successful request and response for the test user.
recommendation-more-help
experience-cloud-kcs-help-kbarticles