Architecture

IMS Authentication works by using the OAuth protocol between AEM and the Adobe IMS endpoint. Once a user has been added to IMS and has an Adobe Identity, they can log in to AEM Managed Services instances using IMS credentials.

The user login flow is shown below, the user will be redirected to IMS and optionally to the customer IDP for SSO validation and then redirected back to AEM.

image2018-9-23_23-55-8

How To Set Up

Onboarding Organizations to Admin Console

The customer onboarding to Admin Console is a pre-requisite to using Adobe IMS for AEM authentication.

As the first step, customers should have an Organization provisioned in Adobe IMS. Adobe Enterprise customers are represented as IMS Organizations in the Adobe Admin Console.

AEM Managed Services customers should already have an organization provisioned, and as part of the IMS provisioning, the customer instances will be made available in the Admin Console for managing user entitlements and access.

The move to IMS for user authentication will be a joint effort between AMS and customers, with each having their workflows to complete.

Once a customer exists as an IMS Organization and AMS is done with provisioning the customer for IMS, this is the summary of the configuration workflows required:

image2018-9-23_23-33-25

  1. The designated System Admin receives an invite to log in to the Admin Console
  2. The System Admin Claims Domain to confirm the ownership of the domain (in this example acme.com)
  3. The System Admin sets up User Directories
  4. The System Admin configures the Identity Provider (IDP) in the Admin Console for SSO setup.
  5. The AEM Admin manages the local groups, permissions, and privileges as usual. See User and Group Sync
NOTE
For more information about the Adobe Identity Management Basics, including IDP configuration see the article about Set up identity and Single Sign-On.
For more info about the Enterprise Administration and Admin Console see the Welcome to the enterprise and teams admin guide.

Onboarding Users to the Admin Console

There are three ways to onboard users depending on the size of the customer and their preference:

  1. Manually create users and groups in Admin Console
  2. Upload a CSV file with users
  3. Sync users and groups from the customer’s enterprise Active Directory.

Manual Addition through Admin Console UI

Users and Groups can be manually created in the Admin Console UI. This method can be used if they do not have many users to manage. For example, fewer than 50 AEM users.

Users can also be manually created if the customer is already using this method for administering other Adobe products like Adobe Analytics, Adobe Target, or Adobe Creative Cloud applications.

image2018-9-23_20-39-9

File Upload in the Admin Console UI

For easy handling of user creation, a CSV file can be uploaded for adding users in bulk:

image2018-9-23_18-59-57

User Sync Tool

The User Sync Tool (UST in short) enables enterprise customers to create or manage Adobe users that use Active Directory or other tested OpenLDAP directory services. The target users are IT Identity Administrators (Enterprise Directory and System Admins) who will be able to install and configure the tool. The open-source tool is customizable so that customers can have a developer modify it to suit their own particular requirements.

When User Sync runs, it fetches a list of users from the organization’s Active Directory (or any other compatible data source) and compares it with the list of users within the Admin Console. It then calls the Adobe User Management API so that the Admin Console is synchronized with the organization’s directory. The change flow is entirely one way; any edits made in the Admin Console do not get pushed out to the directory.

The tool allows the system admin to map user groups in the customer’s directory with product configuration and user groups in the Admin Console, the new UST version also allows dynamic creation of user groups in the Admin Console.

To set up User Sync, the organization needs to create a set of credentials in the same way they would use the User Management API.

image2018-9-23_13-36-56

User Sync is distributed through the Adobe Github repository at this location:

https://github.com/adobe-apiplatform/user-sync.py/releases/latest

Note that a pre-release version 2.4RC1 is available with dynamic group creation support and can be found here: https://github.com/adobe-apiplatform/user-sync.py/releases/tag/v2.4rc1

The major features for this release are the ability to dynamically map new LDAP groups for user membership in the Admin Console, and dynamic user group creation.

More information about the new group features can be found here:

https://adobe-apiplatform.github.io/user-sync.py/en/user-manual/advanced_configuration.html#additional-group-options

NOTE
For more details see:
NOTE
The AEM IMS configuration will be handled by the Adobe Managed Services team. However, the customer administrator may modify it as per their requirements (for example, Auto Group Membership or Group Mapping). The IMS client will also be registered by your Managed Services team.

How to Use

Managing Products and User Access in Admin Console

When the customer Product Administrator logs in to Admin Console, they will see multiple instances of the AEM Managed Services Product Context as shown below:

screen_shot_2018-09-17at105804pm

In this example, the org AEM-MS-Onboard has 32 instances spanning different topologies and environments like Stage, Prod, and so on.

screen_shot_2018-09-17at105517pm

The instance details can be checked to identify the instance:

screen_shot_2018-09-17at105601pm

Under each Product Context instance, there will be an associated Product Profile. This product profile is used for assigning access to users.

image2018-9-18_7-48-50

Any users added under this product profile will be able to login to that instance as shown in the example below:

screen_shot_2018-09-17at105623pm

Logging into AEM

Local Admin Login

AEM can continue to support local logins for Admin users, as the login screen has an option to log in locally:

screen_shot_2018-09-18at121056am

IMS Based Login

For other users, the IMS based login can be used once IMS is configured on the instance. The user first clicks Sign in with Adobe as shown below:

image2018-9-18_0-10-32

They will then be redirected to the IMS login screen and enter their credentials:

screen_shot_2018-09-17at115629pm

If a federated IDP is configured during initial Admin Console setup, then the user will be redirected to the customer IDP for SSO.

The IDP is Okta in the below example:

screen_shot_2018-09-17at115734pm

After authentication is complete, the user will be redirected back to AEM and logged in:

screen_shot_2018-09-18at120124am