Hi there,
We have been asked to integrate AEM with Azure AD B2C for external user's authentication and we are planning to use SAML authentication provider which is OOTB in AEM as a cloud service. However, I am not sure if users are created in AEM too after authentication and if yes, why? Given a publish server can scale out anytime based on the number of requests, would user creation in AEM not pose scalability and experience issues? A user logged into a publish server may be routed to another publish server on the following request which may not have this user created yet, resulting in an error.
Would like to poll the group to see how it works behind the scene and did anybody observe the issues I mentioned above and if yes, how can this be avoided?
Thanks,
Vineet Kumar
Solved! Go to Solution.
Views
Replies
Total Likes
Hi @Vineet18 ,
Yes, the users can be created in AEM based on a configuration. [ Adobe Granite SAML 2.0 Authentication Handler ]
There you can select the option to autocreate users in crx and it will create new users who logged in through SAML.
Now for your other question :
No, there will not be any error in other publish instances because we would need to do User Syncronisation through Sling Distribution. That will syncronise users,ACLs and other related stuff to different publishers.
Hi @Vineet18 ,
Yes, the users can be created in AEM based on a configuration. [ Adobe Granite SAML 2.0 Authentication Handler ]
There you can select the option to autocreate users in crx and it will create new users who logged in through SAML.
Now for your other question :
No, there will not be any error in other publish instances because we would need to do User Syncronisation through Sling Distribution. That will syncronise users,ACLs and other related stuff to different publishers.
As mentioned you have a usersync running in the background. Also an affinity cookie is used to route a user always to the same instance as long as possible.
Thank you @Jörg_Hoh & @Anmol_Bhardwaj
Really appreciate your response.
However could you please let me know the reasons why this is necessary to create users in AEM as IMHO IDP should actually be the source of truth and we should use JWT validation server side on AEM rather than storing users in AEM. Since sling distribution is eventually consistent and hence I believe a sticky /affinity cookie is required to make it work. Affinity cookie could introduce scaling problems based on accessing pattern of users i.e. if users affiliated to a particular AEM are more active than others.
It will help me get a big picture to know why AEM requires external users to be created in AEM and if we don't do that what use cases or functionality would we miss.
Thank you,
Vineet Kumar
Hi @Vineet18 ,
As I mentioned, users can be created,but it is not mandatory. If you do not opt to create users in AEM, it will create a temp user for you.
The creation of users in AEM for users which have authenticated through SAML etc. is important to track the activites within AEM. If you will take a closer look at the resources/assets/workflows etc, you will notice that there is a "lastModifiedBy" , "lastReplicatedBy" and even other events which are tracked OOTB by AEM. This can also be used for some custom auditing which tracks user activity on the website. If you do not create a user within aem, you will not be able to track any of this operations done by users to assets, nodes, pages etc.
Thank you @Anmol_Bhardwaj but the users we are talking about here are external users/visitors and not business users. I am fine if users are created for business users since they will be limited in numbers.
Please let me know your thought for external users i.e. integrating AEM with Azure AD B2C.
You just need users in AEM if you want to either store profile information in AEM (I would not do that), or if you need to have them in different groups (so for permission reasons). In any other case you don't need the users in the AEM repository.