We have integrated Okta as the IDM for our AEM 6.2 website. We have done so using a fairly standard SAML configuration which has worked well. In our live/production environment we have two publish instances so we have been testing the integration across two publish environments.
We have enabled Encapsulated Token support on both instances and we have found that, in order for the encapsulated token to work, the associated user account must exist on both publish instances.
However, there is a short delay of approximately 1 second between user replication across both publish instances as the SAML Authentication Handler adds the new user and the Apache Sling Distribution Agents - Sync Agents Factory replicates it to the other publisher.
Consider a scenario where a new user is SAML-authenticated on Pub 1 but the saml_login handler redirects the same user to Pub 2 after authentication. If this happened quicker than the 1 (or so) second(s) it takes for the user to replicate across to the second publish instance the user may not be authenticated as they land on the page.
How do we avoid the 1 in 100 scenario where the user is redirected back to the SAML-protected page before their account is replicated to both publishers?
I assume this is a common concern/scenario and you guys will be able to advise accordingly. Thanks in advance!
The scenario you mentioned is really one out of 100 scenario. You have done both the requirments to achieve this i.e Enabling Encapsulated token support and User Syncing. If you really want your setup to work 100%, you can go next with Dispatcher sticky session along with above you points.