Expand my Community achievements bar.

July 31st AEM Gems Webinar: Elevate your AEM development to master the integration of private GitHub repositories within AEM Cloud Manager.

Closed User Groups (CUG) for 1 million users on AEM


Level 7

I heard that on the AEMaaCS they disabled Adobe Granite SAML 2.0 Authentication Handler , which creates a new user node on the AEM publishers. from there, the Adobe Granite SAML 2.0 Authentication Handler  would tag that user with the the correct user-group, and finally, that authenticated SSO user now can view Closed User Groups (CUG)  content.

Is this true?

Well, next question is We have a requirement here where customers would log into our AEM dispatcher website, and then allow them to read Closed User Group content.; view assets from the DAM. What is the best way for doing this?

The users registered to view CUG content are completely random guests for example, @gmail,com @outlook.com, @company.com, @subscribed users.

AEMaaCS disabled Adobe Granite SAML 2.0 Authentication Handler because they don't want to overload servers or what? What is the best way t achieve this?


Topics help categorize Community content and increase your ability to discover relevant content.

4 Replies


Level 10

Hi @AEMWizard ,

Yes, it is true that Adobe has disabled the Adobe Granite SAML 2.0 Authentication Handler in AEM as a Cloud Service (AEMaaCS) because it creates a new user node on the AEM publishers, which can cause scalability and performance issues when dealing with a large number of users.

To allow customers to read Closed User Group (CUG) content and view assets from the DAM, you can use the AEMaaCS-supported authentication mechanisms, such as Adobe I/O Runtime or Adobe Experience Platform Identity Service. These authentication mechanisms allow you to authenticate users and assign them to specific user groups, which can be used to control access to CUG content and assets.

For example, you can use Adobe I/O Runtime to authenticate users using OAuth 2.0 or JSON Web Tokens (JWT), and then use the AEMaaCS APIs to assign the authenticated users to specific user groups. You can then use the CUG feature in AEM to restrict access to content and assets based on the assigned user groups.

To handle a large number of users, you can use a scalable and distributed architecture, such as a serverless architecture using Adobe I/O Runtime or a microservices architecture using Adobe Experience Platform. These architectures can help you handle a large number of users and provide high scalability and performance.

It's important to note that the specific details and options for implementing CUG in AEMaaCS may vary depending on your specific AEMaaCS subscription and agreement with Adobe. It is recommended to consult with Adobe or your Adobe partner for more information and assistance with implementing CUG in your AEMaaCS environment.


Employee Advisor

Can you please point me to the documentation which says that SAML 2.0 authentication on publish is not available on AEM CS?

(I know a number of cases, where this is working.)


Level 7

I'm not sure here, but I need some help. Please, what is the best way to handle 

1 million users on AEM, which these users are just people who wants to read news, maybe update their email and profile name. The content would rather be secured with CUG. We are planning to use CUG cache to increase performance of secured pages. 

We do not want to overload AEM with these random users, so whats the best practice.




@AEMWizard Did you find the suggestion helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!

Kautuk Sahni