Hybrid domains require at least one authentication provider, and enterprise domains require at least one authentication provider or directory provider.
If you enable SSO using SPNEGO, add a Kerberos authentication provider with SPNEGO enabled and an LDAP provider as a backup. This configuration enables user authentication with a user ID and password if SPNEGO is not working. (See Enable SSO using SPNEGO.)
The following settings are available, depending on the type of domain and type of authentication you chose.
If you are configuring authentication for an enterprise or hybrid domain and select LDAP authentication, you can choose to use the LDAP server specified in your directory configuration, or you can choose a different LDAP server to use for authentication. If you choose a different server, your users must exist on both LDAP servers.
To use the LDAP server specified in your directory configuration, select LDAP as the authentication provider and click OK.
To use a different LDAP server to perform authentication, select LDAP as the authentication provider, and select the Custom LDAP Authentication check box. The following configuration settings are displayed.
(Mandatory) Fully qualified domain name (FQDN) of the directory server. For example, for a computer called x on the corp.example.com network, the FQDN is x.corp.example.com. An IP address can be used in place of the FQDN server name.
(Mandatory) The port the directory server uses. Typically 389, or 636 if the Secure Sockets Layer (SSL) protocol is used for sending authentication information over the network.
(Mandatory) Specifies whether the directory server uses SSL when sending data over the network. The default is No. When set to Yes, the corresponding LDAP server certificate must be trusted by the Java™ runtime environment (JRE) of the application server.
Authentication is required. In the Name box, specify the name of the user record that can access the directory. It is best to enter the full distinguished name (DN) of the user account, such as cn=Jane Doe, ou=user, dc=can, dc=com. In the Password box, specify the associated password. These settings are required when you select User as the Binding option.
Retrieve Base DNs:
(Not mandatory) Retrieves the base DNs and displays them in the drop-down list. This setting is useful when you have multiple base DNs and need to select a value.
(Mandatory) Used as the starting point for synchronizing users and groups from the LDAP hierarchy. It is best to specify a base DN at the lowest level of the hierarchy that encompasses all users and groups that need to be synchronized for services. Do not include the user’s DN in this setting. To synchronize a particular user, use the Search Filter setting.
Populate page with:
(Not mandatory) When selected, populates attributes on the User and Group settings pages with corresponding default LDAP values.
(Mandatory) The search filter to use to find the record that is associated with the user. See Search Filter Syntax.
If you are configuring authentication for an enterprise or hybrid domain and select Kerberos authentication, the following settings are available.
The DNS IP address of the server where AEM forms is running. On Windows, you can determine this IP address by running ipconfig /all at the command line.
Fully qualified host name or IP address of the Active Directory server that is used for authentication.
If you are using Active Directory 2003, this value is the mapping created for the service principal in the form HTTP/<server name>. If you are using Active Directory 2008, this value is the login ID of the service principal. For example, assume that the service principal is named um spnego, the user ID is spnegodemo, and the mapping is HTTP/example.corp.yourcompany.com. With Active Directory 2003, you set Service User to HTTP/example.corp.yourcompany.com. With Active Directory 2008, you set Service User to spnegodemo. (See Enable SSO using SPNEGO.)
Enables the use of SPNEGO for single sign-on (SSO). (See Enable SSO using SPNEGO.)
If you are configuring authentication for an enterprise or hybrid domain and select SAML authentication, the following settings are available. For information about additional SAML settings, see Configure SAML service provider settings.
Please select a SAML Identity Provider Metadata file to import:
Click Browse to select a SAML identity provider metadata file generated from your IDP and then click Import. Details from IDP are displayed.
Alias to the URL denoted by the EntityID. The title is also displayed on the login page for enterprise and local users.
Identity Provider Supports Client Basic Authentication:
Client Basic Authentication is used when the IDP uses a SAML Artifact Resolution profile. In this profile, User Management connects back to a web service running at the IDP to retrieve the actual SAML assertion. The IDP may require authentication. If the IDP does require authentication, select this option and specify a user name and password in the boxes provided.
Enables you to specify additional properties. The additional properties are name=value pairs separated by new lines.
The following custom properties are required if artifact binding is used.
Add the following custom property to specify a username that represents the AEM forms Service Provider, which will be used to authenticate to the IDP Artifact Resolution service.saml.idp.resolve.username=<username>
Add the following custom property to specify the password for the user specified in saml.idp.resolve.username.saml.idp.resolve.password=<password>
Add the following custom property to allow the service provider to ignore the certificate validation while establishing the connection with the Artifact Resolution service over SSL.saml.idp.resolve.ignorecert=true
If you are configuring authentication for an enterprise or hybrid domain and select Custom authentication, select the name of the custom authentication provider.
Just-in-time provisioning creates a user in the User Management database automatically after the user is successfully authenticated via an authentication provider. Relevant roles and groups are also assigned dynamically to the new user. You can enable just-in-time provisioning for enterprise and hybrid domains.
This procedure describes the way traditional authentication works in AEM forms:
The authentication provider then checks whether the user exists in the User Management database. The following statuses are possible:
If the user is current and unlocked, User Management returns authentication success. However, if the user is not current or is locked, User Management returns authentication failure.
When just-in-time provisioning is enabled, new users are created dynamically in User Management if one of the authentication providers validates their credentials. (After step 3 in the procedure above.)
Without just-in-time provisioning, when a user is successfully authenticated but is not found in the User Management database, the authentication fails. Just-in-time provisioning adds a step in the authentication procedure to create the user and assign roles and groups to the user.
Add authentication providers. While adding authentication providers, on the New Authentication screen, select a registered Identity Creator and Assignment Provider. (See Configuring authentication providers.)