We have externally hosted login page and plan to use SAML2 Authentication Handler. SAML2 Authentication Handler relies either on users already present in AEM (JCR) or creates them on the fly in JCR repository. We have large number of external users logging in to publishers. Concern is that it might affect performance and bloat the repo if we create an AEM account for each external user. We're leaning towards using limited number of generic accounts to log users into AEM based on user attributes. What is the best way to accomplish this? What is the service that in the context of SAML2 authentication handles creating AEM user accounts? Is it SAML2 Authentication Handler Service itself? Can we extend it? Or is there a better way to approach this?