AEM Authentication VS IDP
FOR MILLION USER BUSINESS CASE
BY – SAROJ RANJAN MISHRA
•AEM is a content management system had the capability to manage business users(Authors).
•For million of public user/ visitor IDP would be the best solution.
Following are the points need to be taken care by AEM in order to use AEM as auth provider.
•Searching for authentication is significant performance bottleneck.
•Significant effort needed to synchronize users across all AEM publish instances.
•Solution extension for SSO will not be possible in future.
•User will lose latest credentials updates in case of AEM repository failure.
•Should not store any PII info. Do not store and sensitive info.
Would we have use case for all of the above in the coming slides.
Managing millions of users.
Imagine a scenario where you add a
new publisher to your TarMK Publish farm,
do you imagine syncing all the 1Million+
users to this newly added publisher? If
yes, then this is a bad design.
If you want to scale your application as
a whole, your user management should
be outside your application container.
Significant effort needed to synchronize
users across all AEM publish instances.
Searching for authentication is significant
It is because the way group membership is
handled in AEM.
User node in AEM does not contain group
Instead membership information is present in
group nodes in JCR. The group node will have a
property called as “rep:membership” which
contains list of user nodes who are members
of that group.
While your authentication is being performed,
AEM would need to verify complex group
memberships in addition to username/password
With IDP user might get the content cached in
dispatcher by reducing the server hit.
Direct hit to
Direct hit to
User will lose latest credentials updates in
case of AEM repository failure.
In any distributed systems, failure happen all
the time and you need to have mechanism
to handle/recover from failures. If you want
your architecture to be truly elastic(auto-
scaled) then you need user management
to happen outside AEM(or any container for
that matter). If you are looking at an
application this large then things have to
handled at multiple points in your overall
architecture. One system cannot provide
solutions to all your woes.
Solution extension for SSO will not be
possible in future.
In future if we need authentication of
set of user for other enterprise
application it may not possible or
The above suggestion were given for the fact that the user would be of 2 million and
there would by half a million contributor would be creating loads of UGC.
With my understanding with AEM we have benchmark for million user to achieve the we
have to pay for the same in terms of performance , frequent maintenance , frequent
user management , may be more publish and author instance which would be far more
then the cost of IDP.