Optimizing Group Management with Dynamic Membership during authentication
Dynamic Group Membership is a powerful capability in Apache Oak that significantly improves the scalability and performance of group synchronization and membership evaluation. Unlike traditional group membership, dynamic groups allow the representation of large external groups without incurring the typical performance overhead.
In this session, we’ll explore how to enable Dynamic Group Membership across various Authentication Handlers — including custom implementations as well as built-in ones like SAML, OAuth, and OIDC. We’ll dive into the distinctions between local and external identities, and between static and dynamic external groups. We’ll examine real-world challenges in migrating from default to dynamic membership synchronization and provide a deep dive into the SAML migration hook implemented in AEM to streamline this transition.
Attendees will gain actionable insights into implementing, configuring, and tuning this feature for optimal performance, along with lessons learned from production deployments.
Tomasz Sobczyk
What is a "large" group according to your standards?
d.kornas
Are dynamic groups available in AEM 6.5 on-prem version?
d.kornas
What approach do you recommend to add newly created dynamic group to the local group? Especially if the dynamic group is created at the time the user logs in and has no ACL set yet.
Robin
Users and groups on publish instances still feels like something to avoid. It creates additional caching, synchronisation, security, ... issues. Feels like we can better make sure to not introduce users on these type of instances (for example make use of SSI or other dynamic content patterns to render user specific stuff, based on tokens). Do you agree on this or would you still make use of this functionality?
Nicola
I still see the groups playing a central role in the authorization, being able to "groups" users that requires common functionalities. The tokens are generally used to retrive group information.
Robert Wunsch
Wouldn't it make sense for Adobe to walk customers through this migration process or even execute in the migration, after talking to the AEMaaCS customer?
Nicola
We tried to document it here: https://experienceleague.adobe.com/en/docs/experience-manager-learn/cloud-service/authentication/saml-2-0#dynamic-group-membership
Konrad
Are dynamic groups returning members via https://jackrabbit.apache.org/oak/docs/apidocs/org/apache/jackrabbit/api/security/user/Group.html#getDeclaredMembers()?
Alejandro
Yes, those are returned
Konrad
So those calls are slow, right? How do I identify if a group is dynamic?
Nicola
The issue I described is more related to the performance of the synchronization in Oak. You can identify dynamic groups by the attribute: "rep:externalId"