Adobe IMS Authentication and Admin Console Support for AEM Managed Services
- Topics:
- Administering
CREATED FOR:
- Admin
Introduction
AEM 6.4.3.0 introduces Admin Console support for AEM instances and Adobe IMS(Identity Management System) based authentication for AEM Managed Services customers.
AEM onboarding to the Admin Console will allow AEM Managed Services customers to manage all Experience Cloud users in one console. Users and Groups can be assigned to product profiles associated with AEM instances, allowing them to log in to a specific instance.
Key Highlights
- AEM IMS authentication support is only for AEM Authors, Admins or Developers, not for external end users of customer site like site visitors
- The Admin Console will represent AEM Managed Services customers as IMS Organizations and their Instances as Product Contexts. Customer System and Product Admins will be able to manage access to instances
- AEM Managed Services will sync customer topologies with the Admin Console. There will be one instance of AEM Managed Services Product Context per Instance in the Admin Console.
- Product Profiles in Admin Console will determine which instances a user can access
- Federated authentication using customers’ own SAML 2 compliant Identity Providers is supported
- Only Enterprise or Federated IDs(for customer Single Sign-On) will be supported, not personal Adobe IDs.
- User management( in Adobe Admin Console) will continue to be owned by the customer admins.
Architecture
IMS Authentication works by using the OAuth protocol between AEM and the Adobe IMS endpoint. Once a user has been added to IMS and has an Adobe Identity, they can log in to AEM Managed Services instances using IMS credentials.
The user login flow is shown below, the user will be redirected to IMS and optionally to the customer IDP for SSO validation and then redirected back to AEM.
How To Set Up
Onboarding Organizations to Admin Console
The customer onboarding to Admin Console is a pre-requisite to using Adobe IMS for AEM authentication.
As the first step, customers should have an Organization provisioned in Adobe IMS. Adobe Enterprise customers are represented as IMS Organizations in the Adobe Admin Console.
AEM Managed Services customers should already have an organization provisioned, and as part of the IMS provisioning, the customer instances will be made available in the Admin Console for managing user entitlements and access.
The move to IMS for user authentication will be a joint effort between AMS and customers, with each having their workflows to complete.
Once a customer exists as an IMS Organization and AMS is done with provisioning the customer for IMS, this is the summary of the configuration workflows required:
- The designated System Admin receives an invite to log in to the Admin Console
- The System Admin Claims Domain to confirm the ownership of the domain (in this example acme.com)
- The System Admin sets up User Directories
- The System Admin configures the Identity Provider (IDP) in the Admin Console for SSO setup.
- The AEM Admin manages the local groups, permissions and privileges as usual. See User and Group Sync
Onboarding Users to the Admin Console
There are three ways to onboard users depending on the size of the customer and their preference:
- Manually create users and groups in Admin Console
- Upload a CSV file with users
- Sync users and groups from the customer’s enterprise Active Directory.
Manual Addition through Admin Console UI
Users and Groups can be manually created in the Admin Console UI. This method can be used if they do not have a large number of users to manage. For example, a number of less than 50 AEM users.
Users can also be manually created if the customer is already using this method for administering other Adobe products like Analytics, Target or Creative Cloud applications.
File Upload in the Admin Console UI
For easy handling of user creation, a CSV file can be uploaded for adding users in bulk:
User Sync Tool
The User Sync Tool (UST in short) enables enterprise customers to create or manage Adobe users utilizing Active Directory or other tested OpenLDAP directory services. The target users are IT Identity Administrators (Enterprise Directory and System Admins) who will be able to install and configure the tool. The open source tool is customizable so that customers can have a developer modify it to suit their own particular requirements.
When User Sync runs, it fetches a list of users from the organization’s Active Directory (or any other compatible data source) and compares it with the list of users within the Admin Console. It then calls the Adobe User Management API so that the Admin Console is synchronized with the organization’s directory. The change flow is entirely one-way; any edits made in the Admin Console do not get pushed out to the directory.
The tool allows the system admin to map user groups in the customer’s directory with product configuration and user groups in the Admin Console, the new UST version also allows dynamic creation of user groups in the Admin Console.
To set up User Sync, the organization needs to create a set of credentials in the same way they would use the User Management API.
User Sync is distributed through the Adobe Github repository at this location:
https://github.com/adobe-apiplatform/user-sync.py/releases/latest
Note that a pre-release version 2.4RC1 is available with dynamic group creation support and can be found here: https://github.com/adobe-apiplatform/user-sync.py/releases/tag/v2.4rc1
The major features for this release are the ability to dynamically map new LDAP groups for user membership in the Admin Console, as well as dynamic user group creation.
More information about the new group features can be found here:
https://github.com/adobe-apiplatform/user-sync.py/blob/v2/docs/en/user-manual/advanced_configuration
How to Use
Managing Products and User Access in Admin Console
When the customer Product Administrator logs in to Admin Console, they will see multiple instances of the AEM Managed Services Product Context as shown below:
In this example, the org AEM-MS-Onboard has 32 instances spanning different topologies and environments like Stage, Prod, etc.
The instance details can be checked to identify the instance:
Under each Product Context instance, there will be an associated Product Profile. This product profile is used for assigning access to users and groups.
Any users and groups added under this product profile will be able to login to that instance as shown in the example below:
Logging into AEM
Local Admin Login
AEM can continue to support local logins for Admin users, as the login screen has an option to log in locally:
IMS Based Login
For other users, the IMS based login can be used once IMS is configured on the instance. The user will first click on the Sign in with Adobe button as shown below:
They will then be redirected to the IMS login screen and enter their credentials:
If a federated IDP is configured during initial Admin Console setup, then the user will be redirected to the customer IDP for SSO.
The IDP is Okta in the below example:
After authentication is complete, the user will be redirected back to AEM and logged in:
Migrating Existing Users
For existing AEM instances that are using another method of Authentication and are now being migrated to IMS, there needs to be a migration step.
Existing users in the AEM repository( sourced locally, via LDAP or SAML) can be migrated to point to IMS as the IDP using the User Migration Utility.
This utility will be run by your AMS team as part of IMS provisioning.
Managing Permissions and ACLs in AEM
Access control and permissions will continue to be managed in AEM, this can be achieved using separation of User Groups coming from IMS( e.g. AEM-GRP-008 in the example below) and local groups where the permissions and access control is defined. The user groups that are synced from IMS can be assigned to local groups and inherit the permissions.
In the example below, we are adding synced groups to the local Dam_Users group as an example.
Here, a user has also been assigned to a few groups in the Admin Console. ( Please note that the users and groups can be synced from LDAP using the user sync tool or created locally, please see the section Onboarding Users to the Admin Console above).
The user is part of the following Groups in IMS:
When the user logs in, their Group Memberships are synced, as shown below:
In AEM, the user groups synced from IMS can be added as members to existing local groups, e.g. DAM Users.
As shown below, the group AEM-GRP_008 inherits the Permissions and Privileges of DAM Users. This is an effective way of managing permissions for synced groups and is commonly used in LDAP based Authentication methods as well.
Experience Manager
- Administering User Guide overview
- Sites Features
- Website Administration
- Reusing Content: Multi Site Manager and Live Copy
- Live Copy Overview Console
- Configuring Live Copy Synchronization
- Creating and Synchronizing Live Copies
- MSM Rollout Conflicts
- MSM Best Practices
- Translating Content for Multilingual Sites
- Managing Translation Projects
- Identifying Content to Translate
- Preparing Content for Translation
- Creating a Language Root Using the Classic UI
- Connecting to Microsoft Translator
- Configuring the Translation Integration Framework
- Language Copy Wizard
- Translation Enhancements
- Translation Best Practices
- Configurations and the Configuration Browser
- AEM FAQs
- Operations
- Dashboards
- Operations Dashboard
- Backup and Restore
- Data Store Garbage Collection
- Monitoring Server Resources Using the JMX Console
- Working with Logs
- Configure the Rich Text Editor
- Configure the Video component
- The Bulk Editor
- Configuring Email Notification
- Configuring RTE for Producing Accessible Sites
- The Link Checker
- Troubleshooting AEM
- Audit Log Maintenance in AEM 6
- Editor
- Managing Access to Workflows
- Using cURL with AEM
- Configuring Undo for Page Editing
- Proxy Server Tool (proxy.jar)
- Configuring for AEM Apps
- Administering Workflows
- Configuring Search Forms
- Tools Consoles
- Reporting
- Administering Workflow Instances
- Configuring Layout Container and Layout Mode
- Enabling Access to Classic UI
- Starting Workflows
- Configure the Rich Text Editor plug-ins
- Admin Consoles
- Security
- User Administration and Security
- User, Group and Access Rights Administration
- Security Checklist
- OWASP Top 10
- Running AEM in Production Ready Mode
- Identity Management
- Adobe IMS Authentication and Admin Console Support for AEM Managed Services
- Creating a Closed User Group
- Mitigating serialization issues in AEM
- User Synchronization
- Encapsulated Token Support
- Single Sign On
- How to Audit User Management Operations in AEM
- SSL By Default
- SAML 2.0 Authentication Handler
- Closed User Groups in AEM
- Granite Operations - User and Group Administration
- Enabling CRXDE Lite in AEM
- Configuring LDAP with AEM 6
- Configure the Admin Password on Installation
- Service Users in AEM
- Encryption Support for Configuration Properties
- Handling GDPR Requests for the AEM Foundation
- Content Disposition Filter
- Personalization
- eCommerce
- Integration
- Integrating with Third-Party Services
- Integrating with Salesforce
- Integrating with Adobe Target
- Integrating with Adobe Analytics
- Connecting to Adobe Analytics and Creating Frameworks
- Configuring Link Tracking for Adobe Analytics
- Mapping Component Data with Adobe Analytics Properties
- Configuring Video Tracking for Adobe Analytics
- HTTP2 Delivery of Content FAQ
- Troubleshooting your Adobe Campaign Integration
- SharePoint Connector Licenses, Copyright Notices, and Disclaimers
- SharePoint Connector
- DHTML Viewer End-of-Life FAQs
- Integrating with Adobe Campaign Classic
- Related Community Articles
- Integrating with Adobe Campaign Standard
- Flash Viewers End-of-Life Notice
- Integrating with Adobe Creative Cloud
- Integrating with Adobe Dynamic Tag Management
- Opting Into Adobe Analytics and Adobe Target
- AEM Portals and Portlets
- Integrating with Dynamic Media Classic
- Troubleshooting Integration Issues
- Integrating with BrightEdge Content Optimizer
- Best Practices for Email Templates
- Catalog Producer
- Integrating with Silverpop Engage
- Integrating with Adobe Campaign
- Integrating with ExactTarget
- Analytics with External Providers
- Integrating with the Adobe Marketing Cloud
- Manually Configuring the Integration with Adobe Target
- Prerequisites for Integrating with Adobe Target
- Adobe Classifications
- Solutions Integration
- Target Integration with Experience Fragments
- Best Practices
- Content Management