Aem authentication vs idp
- 1. AEM Authentication VS IDP FOR MILLION USER BUSINESS CASE BY – SAROJ RANJAN MISHRA
- 2. Why IDP •AEM is a content management system had the capability to manage business users(Authors). •For million of public user/ visitor IDP would be the best solution. Following are the points need to be taken care by AEM in order to use AEM as auth provider. •Searching for authentication is significant performance bottleneck. •Significant effort needed to synchronize users across all AEM publish instances. •Solution extension for SSO will not be possible in future. •User will lose latest credentials updates in case of AEM repository failure. •Should not store any PII info. Do not store and sensitive info. Would we have use case for all of the above in the coming slides.
- 3. Use Case Managing millions of users. Imagine a scenario where you add a new publisher to your TarMK Publish farm, do you imagine syncing all the 1Million+ users to this newly added publisher? If yes, then this is a bad design. If you want to scale your application as a whole, your user management should be outside your application container. Significant effort needed to synchronize users across all AEM publish instances. User Sync User Sync User Sync
- 4. Use Case Searching for authentication is significant performance bottleneck. It is because the way group membership is handled in AEM. User node in AEM does not contain group information. Instead membership information is present in group nodes in JCR. The group node will have a property called as “rep:membership” which contains list of user nodes who are members of that group. While your authentication is being performed, AEM would need to verify complex group memberships in addition to username/password matching. With IDP user might get the content cached in dispatcher by reducing the server hit. Direct hit to publish Direct hit to publish
- 5. Use Case User will lose latest credentials updates in case of AEM repository failure. In any distributed systems, failure happen all the time and you need to have mechanism to handle/recover from failures. If you want your architecture to be truly elastic(auto- scaled) then you need user management to happen outside AEM(or any container for that matter). If you are looking at an application this large then things have to handled at multiple points in your overall architecture. One system cannot provide solutions to all your woes.
- 6. Use Case Solution extension for SSO will not be possible in future. In future if we need authentication of set of user for other enterprise application it may not possible or need redesign.
- 7. Conclusions The above suggestion were given for the fact that the user would be of 2 million and there would by half a million contributor would be creating loads of UGC. With my understanding with AEM we have benchmark for million user to achieve the we have to pay for the same in terms of performance , frequent maintenance , frequent user management , may be more publish and author instance which would be far more then the cost of IDP.