Understanding Adobe IMS authentication with AEM on Adobe Managed Services understanding-adobe-ims-authentication-with-aem-on-adobe-managed-services

Adobe Experience Manager introduces Admin Console support for AEM instances and Adobe Identity Management System (IMS) based authentication for AEM on Managed Services. This integration allows AEM Managed Services customers to manage all Experience Cloud users in a single unified Web console. Users and groups can be assigned to product profiles associated with AEM instances, granting centrally managed access to the specific AEM instances.

Let’s take a look at how we can define and manage our users in Adobe IMS, and allow those users to access our Adobe managed services AEM instances. So what we’ll be doing is allowing a test user, to log into our staging 18 AEM author, and we’ll be assigning them appropriate permission so they can act as a DAM user. The first thing we’re gonna wanna do, is create a new user group, which will allow us to centrally manage the users that can access our AEM instance. So I’ll click on users, user groups, and I’ll be creating a digital marketing user group in Adobe IMS, that will add all the users to, they need to access our AEM instance. Now that it’s often helpful to manage your user groups by role, and this allows for a lot more flexibility using the same groups across all Adobe products and the experience cloud. Also note that I’ve added dash IMS to the end, and this is just to help us identify the IMS-based user groups, versus AEM-based user groups. Right, so I’m gonna say of our change, and create a new user group, I can search and locate on new user group in the admin console, and I can click into it. Since this is a new user group, there are no users in it, so we need to add our user. And before I do that I just wanna quickly show you that there are a number of ways that you can add users to Adobe IMS user group, making this very easy. Since we’ll only be adding a single user, I’ll click the add user button, and search for a user. All right, let me select our test user and hit save. So now our test user is a member of our digital marketing IMS user group. The last thing we need to do is associate our user group with the product we want to allow these users to log into. So we can do this one of two ways. We can either assign it directly through the assigned product profiles, or we can head over to our products. Select AEM and services, and find the AEM instance we wanna associate our user group with, and go to users. And from here we can add either a user or a user group. So I can search for our digital marketing IMS user group, select our staging 18 author profile and hit save.
And our digital marketing user group is now listed with an indication that there is one user that is part of this group. While you can add users directly to product profiles, is typically better and more flexible to manage the access using the user groups. Now that we have our user added to our digital marketing user group, and our digital marketing user group has been granted access to our AEM instance, on Adobe managed services, let’s check out the log in experience for our user. So for this I’ll switch over to a new browser window. So this is the Adobe managed services AEM log in screen. For the product profile that I provisioned for my test user. So I can simply click on Sign in with Adobe, and I’ll be taken to an Adobe IMS login. I can provide my user’s email address, hit next, and in my case I’ll be taken to okta, who’s just handling all of my authentication for me, and I can log in, and I will be redirected back into my AEM instance on Adobe managed services. If we click on the profile, you can see that I am in fact logged in as test user 0002.
So let’s head over to assets, and you can see that and I don’t have access to my assets. There’s no way to upload assets and I can’t browse any of the assets. If we dig a little deeper, we can see why.
I click into my test user, that was sunk in from Adobe IMS, and you can see that my user is part of the contributors group, everyone group as well as the digital marketing IMS group that we defined in the Adobe admin console. The contributors and everyone group are defined via a system configuration. However, any of the Adobe IMS user groups are also passed in. If you’re familiar with AEM, you’ll know that contributors and everyone don’t have access to AEM assets, which is why we can’t see anything. The best way to resolve our user access, is to add our digital marketing IMS user group, to AEM out of the box DAM users group. This allows any user that we add, in Adobe IMS, to our digital marketing IMS user group, to automatically become part of this AEM instances DAM users. So for this I’m going to log into this instance, in a different browser tab, as our admin.
We can see that I’m logged in as the administrator and from here we have the ability to go to security and manage our user groups in AEM.
So we can locate the out of the box AEM DAM users group, click on it, click over to members, and we can have the digital marketing IMS user group as a member of this group.
Go ahead and save and close, and now any users of the digital marketing IMS group will also be DAM users. To test this out, we can flip back to our Adobe IMS user, and browse back to assets.
And as you can see now I have access to the projects folder, as well as I can create and upload assets.
All right, so I hope this helps you understand how you can define users and groups in the Adobe admin console, and that then two corresponding AEM Adobe managed service instances and the out of the box AEM user groups therein.
  • Adobe Experience Manager IMS authentication support is only for “internal” users (authors, reviewers, administrators, developers, and so on), and not external end-users such as web site visitors.
  • Admin Console represents AEM Managed Services customers as IMS Orgs and the AEM instances as Product Contexts. Admin Console System and Product Admins can define and manage.
  • AEM Managed Services sync your topology with Admin Console, creating a 1-to-1 mapping between a Product Context and AEM instance.
  • Product Profile in Admin Console determines which AEM instances that a user can access.
  • Authentication support includes customer SAML2 compliant IDPs for SSO.
  • Only Enterprise or Federated IDs (for customer SSO) is supported (Personal Adobe IDs are not supported).

* This feature is supported for AEM 6.4 SP3 and later for Adobe Managed Services customers.

Best practices best-practices

Applying permissions in Admin Console

Applying permissions and access at the user level should be avoided in both Admin Console and in Adobe Experience Manager.

In Admin Console, users should be granted access via User Groups at the Product Context level. User groups are typically best expressed by logical role within the organization to promote the groups’ reusability across Adobe Experience Cloud products.

Applying permissions in Adobe Experience Manager

In Adobe Experience Manager, user groups synced from Adobe IMS should be in term added to AEM-provided user groups, which come preconfigured with the appropriate permissions to execute specific sets of tasks in AEM. Users synced from Adobe IMS should not be directly added to AEM-provided user groups.