Styjun

Can a tourist shoot a gun in the USA?

CPLD based Pierce oscillator

Rounding a number extracted by jq to limit the decimal points

Anatomically Correct Carnivorous Tree

What's the difference between "за ... от" and "в ... от"?

Is there any good reason to write "it is easy to see"?

How do employ ' ("prime") in math mode at the correct depth?

Earliest use of "rookie"?

what does a native speaker say when he wanted to leave his work?

Why does the headset man not get on the tractor?

Unexpected Netflix account registered to my Gmail address - any way it could be a hack attempt?

Automatically anti-predictably assemble an alliterative aria

Jesus' words on the Jews

What are the implications of the new alleged key recovery attack preprint on SIMON?

Why do the lights go out when someone enters the dining room on this ship?

How to connect words correctly

How can dragons propel their breath attacks to a long distance

Effects of ~10atm pressure on engine design

Are there any established rules for splitting books into parts, chapters, sections etc?

What to do if SUS scores contradict qualitative feedback?

Wireless headphones integer with Wi-Fi signal on laptop

What episode was being referenced by this part of Discovery's season 2 episode 13 recap?

declared variable inside void setup is forgotten in void loop

Longest Text in Latin

How appropriate it is to use SAML_login with AEM with more than 1m users?

include assertion consumer service URL in simplesamlphp request for sp-initated SSOhow import users to AEM/CQ from excelHow to setup lucene index for AEMAEM as IDP( Identity Provider) for CRM using SAMLAEM page properties dialog not showing the tabs for author usersHow Avoid Muliple checkout of Componentes in AEM page other than PagelockRails/Devise/SAML Metadata Incorrect (not working with PingFederate)AEM 6.2 SSO (SAML) IntegrationUsers not able to login in AEMClone rep:policy on AEM

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

5

2

I am investigating a slow login time and some profile synchronisation problems of a large enterprise AEM project. The system has around 1.5m users. And the website is served by 10 publishers.

The way this project is built, is that they have enabled the SAML_login for all these end-users and there is a third party IDP which I assume SAML_login talks to. I'm no expert on this SSO - SAML_login processes, so I'm trying to understand if this is the correct way to go at the first step.

Because of this setup and the number of users, SAML_login call takes 15 seconds on avarage. This is getting unacceptable day by day as the user count rises. And even more importantly, the synchronization between the 10 publishers are failing occasionally, hence some of the users sometimes can't use the system as they are expected to.

Because the users are stored in the JCR for SAML_login, you cannot even go and check the home/users folder from crx browser. It times out as it is impossible to show 1.5m rows at once. And my educated guess is, that's why the SAML_login call is taking so long.

I've come accross with articles that tells how to setup SAML_login on AEM, and this makes it sound legal for what it is used in this case. But in my opinion this is the worst setup ever as JCR is not a well designed quick access data store for this kind of usage scenarios.

My understanding so far is that this approach might work well but with only limited number of users, but with this many of users, it is an inapplicable solution approach. So my first question would be: Am I right? :)

If I'm not right, there is certainly a bottleneck somewhere which I'm not aware of yet, what can be that bottleneck to improve upon?

single-sign-on aem saml saml-2.0 jcr

share|improve this question

asked Mar 23 at 13:00

Tolga EvcimenTolga Evcimen

4,19393972

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  What you have described is a bad design, User are created in AEM primarily for authoring/admin purpose, or when they otherwise need to be granted permissions. Creating jcr users for publish site users is not recommended for large number of users. Its inefficient, also Its unsafe - if any of those users were to acquire elevated privileges, due to erroneous privilege assignment or some bug, they can potentially mess up your system.
  
  – awd
  Mar 23 at 14:48
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @awd I agree with your assessment. But I am curious, what’s a better way to do this where users are not created in JCR?
  
  – Ahmed Musallam
  Mar 23 at 15:13
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  I totally agree with you @awd, and I am trying to find a formal document stating this as I need to insist on that to my client.
  
  – Tolga Evcimen
  Mar 23 at 16:40
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @AhmedMusallam I am of opinion that for large number of users' data you need a dedicated db server, I have seen the following high level setup work fairly well - after user authenticates with IDP, basic auth info can be maintained in form of cookies on client browser, if there is a need to deal with more of user data, introduce a db server. any processing needed in aem is done via a service user.
  
  – awd
  Mar 23 at 16:55
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @AhmedMusallam yes, the ootb saml auth handler creates users in the repo, you can have your own saml response handler though (will have to write some code). @ Tolga - from what I know adobe doesn't say how many users aem can support, let me know if you find any formal document/source. also consider reaching out to adobe support if thats an option, and see what they say.
  
  – awd
  Mar 23 at 18:33
  
  

  
  
  
  

 | 
show 4 more comments

5

2

I am investigating a slow login time and some profile synchronisation problems of a large enterprise AEM project. The system has around 1.5m users. And the website is served by 10 publishers.

The way this project is built, is that they have enabled the SAML_login for all these end-users and there is a third party IDP which I assume SAML_login talks to. I'm no expert on this SSO - SAML_login processes, so I'm trying to understand if this is the correct way to go at the first step.

Because of this setup and the number of users, SAML_login call takes 15 seconds on avarage. This is getting unacceptable day by day as the user count rises. And even more importantly, the synchronization between the 10 publishers are failing occasionally, hence some of the users sometimes can't use the system as they are expected to.

Because the users are stored in the JCR for SAML_login, you cannot even go and check the home/users folder from crx browser. It times out as it is impossible to show 1.5m rows at once. And my educated guess is, that's why the SAML_login call is taking so long.

I've come accross with articles that tells how to setup SAML_login on AEM, and this makes it sound legal for what it is used in this case. But in my opinion this is the worst setup ever as JCR is not a well designed quick access data store for this kind of usage scenarios.

My understanding so far is that this approach might work well but with only limited number of users, but with this many of users, it is an inapplicable solution approach. So my first question would be: Am I right? :)

If I'm not right, there is certainly a bottleneck somewhere which I'm not aware of yet, what can be that bottleneck to improve upon?

single-sign-on aem saml saml-2.0 jcr

share|improve this question

asked Mar 23 at 13:00

Tolga EvcimenTolga Evcimen

4,19393972

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  What you have described is a bad design, User are created in AEM primarily for authoring/admin purpose, or when they otherwise need to be granted permissions. Creating jcr users for publish site users is not recommended for large number of users. Its inefficient, also Its unsafe - if any of those users were to acquire elevated privileges, due to erroneous privilege assignment or some bug, they can potentially mess up your system.
  
  – awd
  Mar 23 at 14:48
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @awd I agree with your assessment. But I am curious, what’s a better way to do this where users are not created in JCR?
  
  – Ahmed Musallam
  Mar 23 at 15:13
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  I totally agree with you @awd, and I am trying to find a formal document stating this as I need to insist on that to my client.
  
  – Tolga Evcimen
  Mar 23 at 16:40
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @AhmedMusallam I am of opinion that for large number of users' data you need a dedicated db server, I have seen the following high level setup work fairly well - after user authenticates with IDP, basic auth info can be maintained in form of cookies on client browser, if there is a need to deal with more of user data, introduce a db server. any processing needed in aem is done via a service user.
  
  – awd
  Mar 23 at 16:55
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @AhmedMusallam yes, the ootb saml auth handler creates users in the repo, you can have your own saml response handler though (will have to write some code). @ Tolga - from what I know adobe doesn't say how many users aem can support, let me know if you find any formal document/source. also consider reaching out to adobe support if thats an option, and see what they say.
  
  – awd
  Mar 23 at 18:33
  
  

  
  
  
  

 | 
show 4 more comments

I am investigating a slow login time and some profile synchronisation problems of a large enterprise AEM project. The system has around 1.5m users. And the website is served by 10 publishers.

The way this project is built, is that they have enabled the SAML_login for all these end-users and there is a third party IDP which I assume SAML_login talks to. I'm no expert on this SSO - SAML_login processes, so I'm trying to understand if this is the correct way to go at the first step.

Because of this setup and the number of users, SAML_login call takes 15 seconds on avarage. This is getting unacceptable day by day as the user count rises. And even more importantly, the synchronization between the 10 publishers are failing occasionally, hence some of the users sometimes can't use the system as they are expected to.

Because the users are stored in the JCR for SAML_login, you cannot even go and check the home/users folder from crx browser. It times out as it is impossible to show 1.5m rows at once. And my educated guess is, that's why the SAML_login call is taking so long.

I've come accross with articles that tells how to setup SAML_login on AEM, and this makes it sound legal for what it is used in this case. But in my opinion this is the worst setup ever as JCR is not a well designed quick access data store for this kind of usage scenarios.

My understanding so far is that this approach might work well but with only limited number of users, but with this many of users, it is an inapplicable solution approach. So my first question would be: Am I right? :)

If I'm not right, there is certainly a bottleneck somewhere which I'm not aware of yet, what can be that bottleneck to improve upon?

single-sign-on aem saml saml-2.0 jcr

share|improve this question

asked Mar 23 at 13:00

Tolga EvcimenTolga Evcimen

4,19393972

share|improve this question

asked Mar 23 at 13:00

Tolga EvcimenTolga Evcimen

4,19393972

share|improve this question

asked Mar 23 at 13:00

Tolga EvcimenTolga Evcimen

4,19393972

asked Mar 23 at 13:00

Tolga EvcimenTolga Evcimen

4,19393972

asked Mar 23 at 13:00

Tolga EvcimenTolga Evcimen

4,19393972