I am trying to integrate SAML on a intranet employee portal on AEM witj okta. I was able to integrate with ssocircle as POC and have few questions.
I understand that the SAML authentication handler reads the SAML assertions, create the user in crx and generates a login token cookie to validate the authentication for further requests.
I did a test with unchecking the create user on SAML config in AEM and the authentication failed with below error
javax.jcr.RepositoryException: Failed to generate login-token: Could not access Repository
19.09.2019 11:20:05.518 *INFO* [qtp317350284-1718] com.adobe.granite.auth.saml.SamlAuthenticationHandler User xxxxx not found
My question is if I allow to create users on crx and use login token cookie and if I have three publish AEM instances routed from a elb and there is no stickiness configured, I think the session cannot be maintained as the token is stored in only one of crx
Do I need to configure stickiness on elb based on login-token cookie for this to work?
What is the other way to handle SAML assertion if I don't use login token cookie and no user creation in crx?
Since you are dealing with end users on the publish side, the best approach would be to use User sync feature  which uses sling content distribution(SCD) framework. This feature syncs user between publish instances
Thank you. This helps. If I do the user sync, does it sync the tokens too or I need to enable encapsulated tokens feature of Token Login handler?
Also, Can the sling distribution handle multiple concurrent user sync? If there is a delay in sync, I think the session will logout when the second publisher is hit.
Since encapsulated token doesn't require access to repository to authenticate requests and can validate requests against cookies, tokens can be ignored as part of configuration , its ignored by default.
However it is necessary for the user to be present on other publish instances for the authentication to work. In this case I can think of enabling sticky connections based on the time taken to sync user to other publish instances or use SSO if possible