How appropriate it is to use SAML_login with AEM with more than 1m users?include assertion consumer service URL in simplesamlphp request for sp-initated SSOhow import users to AEM/CQ from excelHow to setup lucene index for AEMAEM as IDP( Identity Provider) for CRM using SAMLAEM page properties dialog not showing the tabs for author usersHow Avoid Muliple checkout of Componentes in AEM page other than PagelockRails/Devise/SAML Metadata Incorrect (not working with PingFederate)AEM 6.2 SSO (SAML) IntegrationUsers not able to login in AEMClone rep:policy on AEM
Can a tourist shoot a gun in the USA?
CPLD based Pierce oscillator
Rounding a number extracted by jq to limit the decimal points
Anatomically Correct Carnivorous Tree
What's the difference between "за ... от" and "в ... от"?
Is there any good reason to write "it is easy to see"?
How do employ ' ("prime") in math mode at the correct depth?
Earliest use of "rookie"?
what does a native speaker say when he wanted to leave his work?
Why does the headset man not get on the tractor?
Unexpected Netflix account registered to my Gmail address - any way it could be a hack attempt?
Automatically anti-predictably assemble an alliterative aria
Jesus' words on the Jews
What are the implications of the new alleged key recovery attack preprint on SIMON?
Why do the lights go out when someone enters the dining room on this ship?
How to connect words correctly
How can dragons propel their breath attacks to a long distance
Effects of ~10atm pressure on engine design
Are there any established rules for splitting books into parts, chapters, sections etc?
What to do if SUS scores contradict qualitative feedback?
Wireless headphones integer with Wi-Fi signal on laptop
What episode was being referenced by this part of Discovery's season 2 episode 13 recap?
declared variable inside void setup is forgotten in void loop
Longest Text in Latin
How appropriate it is to use SAML_login with AEM with more than 1m users?
include assertion consumer service URL in simplesamlphp request for sp-initated SSOhow import users to AEM/CQ from excelHow to setup lucene index for AEMAEM as IDP( Identity Provider) for CRM using SAMLAEM page properties dialog not showing the tabs for author usersHow Avoid Muliple checkout of Componentes in AEM page other than PagelockRails/Devise/SAML Metadata Incorrect (not working with PingFederate)AEM 6.2 SSO (SAML) IntegrationUsers not able to login in AEMClone rep:policy on AEM
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I am investigating a slow login time and some profile synchronisation problems of a large enterprise AEM project. The system has around 1.5m users. And the website is served by 10 publishers.
The way this project is built, is that they have enabled the SAML_login for all these end-users and there is a third party IDP which I assume SAML_login talks to. I'm no expert on this SSO - SAML_login processes, so I'm trying to understand if this is the correct way to go at the first step.
Because of this setup and the number of users, SAML_login call takes 15 seconds on avarage. This is getting unacceptable day by day as the user count rises. And even more importantly, the synchronization between the 10 publishers are failing occasionally, hence some of the users sometimes can't use the system as they are expected to.
Because the users are stored in the JCR for SAML_login, you cannot even go and check the home/users folder from crx browser. It times out as it is impossible to show 1.5m rows at once. And my educated guess is, that's why the SAML_login call is taking so long.
I've come accross with articles that tells how to setup SAML_login on AEM, and this makes it sound legal for what it is used in this case. But in my opinion this is the worst setup ever as JCR is not a well designed quick access data store for this kind of usage scenarios.
My understanding so far is that this approach might work well but with only limited number of users, but with this many of users, it is an inapplicable solution approach. So my first question would be: Am I right? :)
If I'm not right, there is certainly a bottleneck somewhere which I'm not aware of yet, what can be that bottleneck to improve upon?
single-sign-on aem saml saml-2.0 jcr
|
show 4 more comments
I am investigating a slow login time and some profile synchronisation problems of a large enterprise AEM project. The system has around 1.5m users. And the website is served by 10 publishers.
The way this project is built, is that they have enabled the SAML_login for all these end-users and there is a third party IDP which I assume SAML_login talks to. I'm no expert on this SSO - SAML_login processes, so I'm trying to understand if this is the correct way to go at the first step.
Because of this setup and the number of users, SAML_login call takes 15 seconds on avarage. This is getting unacceptable day by day as the user count rises. And even more importantly, the synchronization between the 10 publishers are failing occasionally, hence some of the users sometimes can't use the system as they are expected to.
Because the users are stored in the JCR for SAML_login, you cannot even go and check the home/users folder from crx browser. It times out as it is impossible to show 1.5m rows at once. And my educated guess is, that's why the SAML_login call is taking so long.
I've come accross with articles that tells how to setup SAML_login on AEM, and this makes it sound legal for what it is used in this case. But in my opinion this is the worst setup ever as JCR is not a well designed quick access data store for this kind of usage scenarios.
My understanding so far is that this approach might work well but with only limited number of users, but with this many of users, it is an inapplicable solution approach. So my first question would be: Am I right? :)
If I'm not right, there is certainly a bottleneck somewhere which I'm not aware of yet, what can be that bottleneck to improve upon?
single-sign-on aem saml saml-2.0 jcr
4
What you have described is a bad design, User are created in AEM primarily for authoring/admin purpose, or when they otherwise need to be granted permissions. Creating jcr users for publish site users is not recommended for large number of users. Its inefficient, also Its unsafe - if any of those users were to acquire elevated privileges, due to erroneous privilege assignment or some bug, they can potentially mess up your system.
– awd
Mar 23 at 14:48
1
@awd I agree with your assessment. But I am curious, what’s a better way to do this where users are not created in JCR?
– Ahmed Musallam
Mar 23 at 15:13
1
I totally agree with you @awd, and I am trying to find a formal document stating this as I need to insist on that to my client.
– Tolga Evcimen
Mar 23 at 16:40
1
@AhmedMusallam I am of opinion that for large number of users' data you need a dedicated db server, I have seen the following high level setup work fairly well - after user authenticates with IDP, basic auth info can be maintained in form of cookies on client browser, if there is a need to deal with more of user data, introduce a db server. any processing needed in aem is done via a service user.
– awd
Mar 23 at 16:55
2
@AhmedMusallam yes, the ootb saml auth handler creates users in the repo, you can have your own saml response handler though (will have to write some code). @ Tolga - from what I know adobe doesn't say how many users aem can support, let me know if you find any formal document/source. also consider reaching out to adobe support if thats an option, and see what they say.
– awd
Mar 23 at 18:33
|
show 4 more comments
I am investigating a slow login time and some profile synchronisation problems of a large enterprise AEM project. The system has around 1.5m users. And the website is served by 10 publishers.
The way this project is built, is that they have enabled the SAML_login for all these end-users and there is a third party IDP which I assume SAML_login talks to. I'm no expert on this SSO - SAML_login processes, so I'm trying to understand if this is the correct way to go at the first step.
Because of this setup and the number of users, SAML_login call takes 15 seconds on avarage. This is getting unacceptable day by day as the user count rises. And even more importantly, the synchronization between the 10 publishers are failing occasionally, hence some of the users sometimes can't use the system as they are expected to.
Because the users are stored in the JCR for SAML_login, you cannot even go and check the home/users folder from crx browser. It times out as it is impossible to show 1.5m rows at once. And my educated guess is, that's why the SAML_login call is taking so long.
I've come accross with articles that tells how to setup SAML_login on AEM, and this makes it sound legal for what it is used in this case. But in my opinion this is the worst setup ever as JCR is not a well designed quick access data store for this kind of usage scenarios.
My understanding so far is that this approach might work well but with only limited number of users, but with this many of users, it is an inapplicable solution approach. So my first question would be: Am I right? :)
If I'm not right, there is certainly a bottleneck somewhere which I'm not aware of yet, what can be that bottleneck to improve upon?
single-sign-on aem saml saml-2.0 jcr
I am investigating a slow login time and some profile synchronisation problems of a large enterprise AEM project. The system has around 1.5m users. And the website is served by 10 publishers.
The way this project is built, is that they have enabled the SAML_login for all these end-users and there is a third party IDP which I assume SAML_login talks to. I'm no expert on this SSO - SAML_login processes, so I'm trying to understand if this is the correct way to go at the first step.
Because of this setup and the number of users, SAML_login call takes 15 seconds on avarage. This is getting unacceptable day by day as the user count rises. And even more importantly, the synchronization between the 10 publishers are failing occasionally, hence some of the users sometimes can't use the system as they are expected to.
Because the users are stored in the JCR for SAML_login, you cannot even go and check the home/users folder from crx browser. It times out as it is impossible to show 1.5m rows at once. And my educated guess is, that's why the SAML_login call is taking so long.
I've come accross with articles that tells how to setup SAML_login on AEM, and this makes it sound legal for what it is used in this case. But in my opinion this is the worst setup ever as JCR is not a well designed quick access data store for this kind of usage scenarios.
My understanding so far is that this approach might work well but with only limited number of users, but with this many of users, it is an inapplicable solution approach. So my first question would be: Am I right? :)
If I'm not right, there is certainly a bottleneck somewhere which I'm not aware of yet, what can be that bottleneck to improve upon?
single-sign-on aem saml saml-2.0 jcr
single-sign-on aem saml saml-2.0 jcr
asked Mar 23 at 13:00
Tolga EvcimenTolga Evcimen
4,19393972
4,19393972
4
What you have described is a bad design, User are created in AEM primarily for authoring/admin purpose, or when they otherwise need to be granted permissions. Creating jcr users for publish site users is not recommended for large number of users. Its inefficient, also Its unsafe - if any of those users were to acquire elevated privileges, due to erroneous privilege assignment or some bug, they can potentially mess up your system.
– awd
Mar 23 at 14:48
1
@awd I agree with your assessment. But I am curious, what’s a better way to do this where users are not created in JCR?
– Ahmed Musallam
Mar 23 at 15:13
1
I totally agree with you @awd, and I am trying to find a formal document stating this as I need to insist on that to my client.
– Tolga Evcimen
Mar 23 at 16:40
1
@AhmedMusallam I am of opinion that for large number of users' data you need a dedicated db server, I have seen the following high level setup work fairly well - after user authenticates with IDP, basic auth info can be maintained in form of cookies on client browser, if there is a need to deal with more of user data, introduce a db server. any processing needed in aem is done via a service user.
– awd
Mar 23 at 16:55
2
@AhmedMusallam yes, the ootb saml auth handler creates users in the repo, you can have your own saml response handler though (will have to write some code). @ Tolga - from what I know adobe doesn't say how many users aem can support, let me know if you find any formal document/source. also consider reaching out to adobe support if thats an option, and see what they say.
– awd
Mar 23 at 18:33
|
show 4 more comments
4
What you have described is a bad design, User are created in AEM primarily for authoring/admin purpose, or when they otherwise need to be granted permissions. Creating jcr users for publish site users is not recommended for large number of users. Its inefficient, also Its unsafe - if any of those users were to acquire elevated privileges, due to erroneous privilege assignment or some bug, they can potentially mess up your system.
– awd
Mar 23 at 14:48
1
@awd I agree with your assessment. But I am curious, what’s a better way to do this where users are not created in JCR?
– Ahmed Musallam
Mar 23 at 15:13
1
I totally agree with you @awd, and I am trying to find a formal document stating this as I need to insist on that to my client.
– Tolga Evcimen
Mar 23 at 16:40
1
@AhmedMusallam I am of opinion that for large number of users' data you need a dedicated db server, I have seen the following high level setup work fairly well - after user authenticates with IDP, basic auth info can be maintained in form of cookies on client browser, if there is a need to deal with more of user data, introduce a db server. any processing needed in aem is done via a service user.
– awd
Mar 23 at 16:55
2
@AhmedMusallam yes, the ootb saml auth handler creates users in the repo, you can have your own saml response handler though (will have to write some code). @ Tolga - from what I know adobe doesn't say how many users aem can support, let me know if you find any formal document/source. also consider reaching out to adobe support if thats an option, and see what they say.
– awd
Mar 23 at 18:33
4
4
What you have described is a bad design, User are created in AEM primarily for authoring/admin purpose, or when they otherwise need to be granted permissions. Creating jcr users for publish site users is not recommended for large number of users. Its inefficient, also Its unsafe - if any of those users were to acquire elevated privileges, due to erroneous privilege assignment or some bug, they can potentially mess up your system.
– awd
Mar 23 at 14:48
What you have described is a bad design, User are created in AEM primarily for authoring/admin purpose, or when they otherwise need to be granted permissions. Creating jcr users for publish site users is not recommended for large number of users. Its inefficient, also Its unsafe - if any of those users were to acquire elevated privileges, due to erroneous privilege assignment or some bug, they can potentially mess up your system.
– awd
Mar 23 at 14:48
1
1
@awd I agree with your assessment. But I am curious, what’s a better way to do this where users are not created in JCR?
– Ahmed Musallam
Mar 23 at 15:13
@awd I agree with your assessment. But I am curious, what’s a better way to do this where users are not created in JCR?
– Ahmed Musallam
Mar 23 at 15:13
1
1
I totally agree with you @awd, and I am trying to find a formal document stating this as I need to insist on that to my client.
– Tolga Evcimen
Mar 23 at 16:40
I totally agree with you @awd, and I am trying to find a formal document stating this as I need to insist on that to my client.
– Tolga Evcimen
Mar 23 at 16:40
1
1
@AhmedMusallam I am of opinion that for large number of users' data you need a dedicated db server, I have seen the following high level setup work fairly well - after user authenticates with IDP, basic auth info can be maintained in form of cookies on client browser, if there is a need to deal with more of user data, introduce a db server. any processing needed in aem is done via a service user.
– awd
Mar 23 at 16:55
@AhmedMusallam I am of opinion that for large number of users' data you need a dedicated db server, I have seen the following high level setup work fairly well - after user authenticates with IDP, basic auth info can be maintained in form of cookies on client browser, if there is a need to deal with more of user data, introduce a db server. any processing needed in aem is done via a service user.
– awd
Mar 23 at 16:55
2
2
@AhmedMusallam yes, the ootb saml auth handler creates users in the repo, you can have your own saml response handler though (will have to write some code). @ Tolga - from what I know adobe doesn't say how many users aem can support, let me know if you find any formal document/source. also consider reaching out to adobe support if thats an option, and see what they say.
– awd
Mar 23 at 18:33
@AhmedMusallam yes, the ootb saml auth handler creates users in the repo, you can have your own saml response handler though (will have to write some code). @ Tolga - from what I know adobe doesn't say how many users aem can support, let me know if you find any formal document/source. also consider reaching out to adobe support if thats an option, and see what they say.
– awd
Mar 23 at 18:33
|
show 4 more comments
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55313971%2fhow-appropriate-it-is-to-use-saml-login-with-aem-with-more-than-1m-users%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55313971%2fhow-appropriate-it-is-to-use-saml-login-with-aem-with-more-than-1m-users%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
4
What you have described is a bad design, User are created in AEM primarily for authoring/admin purpose, or when they otherwise need to be granted permissions. Creating jcr users for publish site users is not recommended for large number of users. Its inefficient, also Its unsafe - if any of those users were to acquire elevated privileges, due to erroneous privilege assignment or some bug, they can potentially mess up your system.
– awd
Mar 23 at 14:48
1
@awd I agree with your assessment. But I am curious, what’s a better way to do this where users are not created in JCR?
– Ahmed Musallam
Mar 23 at 15:13
1
I totally agree with you @awd, and I am trying to find a formal document stating this as I need to insist on that to my client.
– Tolga Evcimen
Mar 23 at 16:40
1
@AhmedMusallam I am of opinion that for large number of users' data you need a dedicated db server, I have seen the following high level setup work fairly well - after user authenticates with IDP, basic auth info can be maintained in form of cookies on client browser, if there is a need to deal with more of user data, introduce a db server. any processing needed in aem is done via a service user.
– awd
Mar 23 at 16:55
2
@AhmedMusallam yes, the ootb saml auth handler creates users in the repo, you can have your own saml response handler though (will have to write some code). @ Tolga - from what I know adobe doesn't say how many users aem can support, let me know if you find any formal document/source. also consider reaching out to adobe support if thats an option, and see what they say.
– awd
Mar 23 at 18:33