Expand my Community achievements bar.

SOLVED

Are users created in AEM too if we integrate with external IDP like Azure AD B2C?

Avatar

Level 2
Level 2
8/25/22 8:38:35 AM

Hi there,

We have been asked to integrate AEM with Azure AD B2C for external user's authentication and we are planning to use SAML authentication provider which is OOTB in AEM as a cloud service. However, I am not sure if users are created in AEM too after authentication and if yes, why? Given a publish server can scale out anytime based on the number of requests, would user creation in AEM not pose scalability and experience issues? A user logged into a publish server may be routed to another publish server on the following request which may not have this user created yet, resulting in an error.

Would like to poll the group to see how it works behind the scene and did anybody observe the issues I mentioned above and if yes, how can this be avoided?

 

Thanks,

Vineet Kumar

 

Views

571

Replies

6
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
8/25/22 10:31:23 PM

Hi @Vineet18 ,

 

Yes, the users can be created in AEM based on a configuration. [ Adobe Granite SAML 2.0 Authentication Handler ]

 

There you can select the option to autocreate users in crx and it will create new users who logged in through SAML.

 

Anmol_Bhardwaj_0-1661491611429.png

 

Now for your other question : 

No, there will not be any error in other publish instances because we would need to do User Syncronisation through Sling Distribution. That will syncronise users,ACLs and other related stuff to different publishers.

https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/sync.html?lang=... 

 

 

View solution in original post

Views

563

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
6 Replies

Avatar

Correct answer by
Community Advisor
Community Advisor
8/25/22 10:31:23 PM

Hi @Vineet18 ,

 

Yes, the users can be created in AEM based on a configuration. [ Adobe Granite SAML 2.0 Authentication Handler ]

 

There you can select the option to autocreate users in crx and it will create new users who logged in through SAML.

 

Anmol_Bhardwaj_0-1661491611429.png

 

Now for your other question : 

No, there will not be any error in other publish instances because we would need to do User Syncronisation through Sling Distribution. That will syncronise users,ACLs and other related stuff to different publishers.

https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/sync.html?lang=... 

 

 

Views

564

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Employee Advisor
Employee Advisor
8/25/22 11:48:30 PM

As mentioned you have a usersync running in the background. Also an affinity cookie is used to route a user always to the same instance as long as possible.

Views

559

Replies

4
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
8/27/22 8:37:36 AM
In response to Jörg_Hoh

Thank you @Jörg_Hoh & @Anmol_Bhardwaj 

Really appreciate your response.

However could you please let me know the reasons why this is necessary to create users in AEM as IMHO IDP should actually be the source of truth and we should use JWT validation server side on AEM rather than storing users in AEM. Since sling distribution is eventually consistent and hence I believe a sticky /affinity cookie is required to make it work. Affinity cookie could introduce scaling problems based on accessing pattern of users i.e. if users affiliated to a particular AEM are more active than others. 

It will help me get a big picture to know why AEM requires external users to be created in AEM and if we don't do that what use cases or functionality would we miss.

 

Thank you,

Vineet Kumar

Views

547

Replies

3
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
8/29/22 12:58:54 AM
In response to Vineet18

Hi @Vineet18 ,

 

As I mentioned, users can be created,but it is not mandatory. If you do not opt to create users in AEM, it will create a temp user for you. 

The creation of users in AEM for users which have authenticated through SAML etc. is important to track the activites within AEM. If you will take a closer look at the resources/assets/workflows etc, you will notice that there is a "lastModifiedBy" , "lastReplicatedBy" and even other events which are tracked OOTB by AEM. This can also be used for some custom auditing which tracks user activity on the website. If you do not create a user within aem, you will not be able to track any of this operations done by users to assets, nodes, pages etc. 

Views

539

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
8/29/22 5:47:32 AM
In response to Anmol_Bhardwaj

Thank you @Anmol_Bhardwaj but the users we are talking about here are external users/visitors and not business users. I am fine if users are created for business users since they will be limited in numbers.

Please let me know your thought for external users i.e. integrating AEM with Azure AD B2C.

Views

535

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee Advisor
Employee Advisor
8/29/22 12:40:14 PM
In response to Vineet18

You just need users in AEM if you want to either store profile information in AEM (I would not do that), or if you need to have them in different groups (so for permission reasons). In any other case you don't need the users in the AEM repository.

Views

531

Replies

0
Sign in to like this content

Total Likes

Translate
Translate