Are users created in AEM too if we integrate with external IDP like Azure AD B2C? | Community
Skip to main content
V
Vineet18
Level 2
August 25, 2022
Solved

Are users created in AEM too if we integrate with external IDP like Azure AD B2C?

  • August 25, 2022
  • 2 replies
  • 1385 views

Hi there,

We have been asked to integrate AEM with Azure AD B2C for external user's authentication and we are planning to use SAML authentication provider which is OOTB in AEM as a cloud service. However, I am not sure if users are created in AEM too after authentication and if yes, why? Given a publish server can scale out anytime based on the number of requests, would user creation in AEM not pose scalability and experience issues? A user logged into a publish server may be routed to another publish server on the following request which may not have this user created yet, resulting in an error.

Would like to poll the group to see how it works behind the scene and did anybody observe the issues I mentioned above and if yes, how can this be avoided?

 

Thanks,

Vineet Kumar

 

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Anmol_Bhardwaj

Hi @vineet18 ,

 

Yes, the users can be created in AEM based on a configuration. [ Adobe Granite SAML 2.0 Authentication Handler ]

 

There you can select the option to autocreate users in crx and it will create new users who logged in through SAML.

 

 

Now for your other question : 

No, there will not be any error in other publish instances because we would need to do User Syncronisation through Sling Distribution. That will syncronise users,ACLs and other related stuff to different publishers.

https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/sync.html?lang=en 

 

 

2 replies

Anmol_Bhardwaj
Community Advisor
Anmol_BhardwajCommunity AdvisorAccepted solution
Community Advisor
August 26, 2022

Hi @vineet18 ,

 

Yes, the users can be created in AEM based on a configuration. [ Adobe Granite SAML 2.0 Authentication Handler ]

 

There you can select the option to autocreate users in crx and it will create new users who logged in through SAML.

 

 

Now for your other question : 

No, there will not be any error in other publish instances because we would need to do User Syncronisation through Sling Distribution. That will syncronise users,ACLs and other related stuff to different publishers.

https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/sync.html?lang=en 

 

 

    joerghoh
    Adobe Employee
    joerghohAdobe Employee
    Adobe Employee
    August 26, 2022

    As mentioned you have a usersync running in the background. Also an affinity cookie is used to route a user always to the same instance as long as possible.

      V
      Vineet18Author
      Level 2
      August 27, 2022

      Thank you @joerghoh & @anmol_bhardwaj 

      Really appreciate your response.

      However could you please let me know the reasons why this is necessary to create users in AEM as IMHO IDP should actually be the source of truth and we should use JWT validation server side on AEM rather than storing users in AEM. Since sling distribution is eventually consistent and hence I believe a sticky /affinity cookie is required to make it work. Affinity cookie could introduce scaling problems based on accessing pattern of users i.e. if users affiliated to a particular AEM are more active than others. 

      It will help me get a big picture to know why AEM requires external users to be created in AEM and if we don't do that what use cases or functionality would we miss.

       

      Thank you,

      Vineet Kumar

        Anmol_Bhardwaj
        Community Advisor
        Anmol_BhardwajCommunity Advisor
        Community Advisor
        August 29, 2022

        Hi @vineet18 ,

         

        As I mentioned, users can be created,but it is not mandatory. If you do not opt to create users in AEM, it will create a temp user for you. 

        The creation of users in AEM for users which have authenticated through SAML etc. is important to track the activites within AEM. If you will take a closer look at the resources/assets/workflows etc, you will notice that there is a "lastModifiedBy" , "lastReplicatedBy" and even other events which are tracked OOTB by AEM. This can also be used for some custom auditing which tracks user activity on the website. If you do not create a user within aem, you will not be able to track any of this operations done by users to assets, nodes, pages etc. 

          Terms & ConditionsAccessibility statement

          Loading footer...