We are using SAML authentication for login to AEM. It is working fine in author as users are present in AEM or will be created if not present. But for publish instance, users will not be kept in AEM and thus unable to use existing SAML Handler. The documentation also states that it is the limitation of OOTB handler.
User Must Exist in AEM
Users logging in via the handler must exist, or if missing must be created in, AEM (“Autocreate CRX Users” must be checked). This is because the Sling authentication framework, which the SamlAuthenticationHandler is a part of, extracts user credentials from the SAMLResponse and logs into the JCR repository using those credentials.
Any suggestion how we can use SAML for authentication for publish. The user base in 2.2 M and thus it is decided not to keep so much users in AEM.
I believe this is true - you need to have users in AEM.
Watch this GEMS session as it may provide more details:
I am talking to internal ppl to see if there is other ways to proceed here.
There are couple of ways and hack arounds, all need some kind of custamization. Before that what is the use case for protecting the pages in publish when user does not exist in publisher?
The user base is pretty huge and adobe itself has recommended the client not to keep users in AEM for publish instance.
The idea is to suggest right workaround for your use case. I am not challenging on recommendation of user profile storage in AEM. but trying to find when there is no user in publisher and all content are available to anonymous why do you need authentication. If you do not want to discuss the use case in open forum feel free to engage the official channel.
The idea was not to offend you but was just mentioning that the suggestion for not keeping the users in AEM is not suggested by us. Since the client has huge user base, so the solution was recommended.
I am seriously looking for suggestions and help here.
Thanks and Regards,