User Synchronization

Last update: March 5, 2025

CREATED FOR:

  • Admin

Introduction

When the deployment is a publish farm, members must be able to log in and see their data on any Publish node.

Users and user groups (user data) created in the publish environment are not needed in the author environment.

Most user data created in the author environment is intended to remain in the author environment and not be copied to Publish instances.

Registration and modifications made on one Publish instance must be synchronized with other Publish instances for them to have access to the same user data.

As of AEM 6.1, when user synchronization is enabled, user data is automatically synchronized across the Publish instances in the farm and are not created on author.

Sling Distribution

The user data, along with their ACLs, are stored in the Oak Core, the layer below Oak JCR, and are accessed using the Oak API. With infrequent updates, it is reasonable for user data to be synchronized with other Publish instances using Sling Content Distribution (Sling distribution).

The benefits of user sync using Sling distribution, compared to traditional replication are:

  • users, user profiles, and user groups created on Publish are not created on Author

  • Sling distribution sets properties in jcr events, making it possible to act within publish-side event listeners without concern for infinite replication loops

  • Sling distribution only sends user data to non-originating Publish instances, eliminating unnecessary traffic

  • ACLs set in the user node are included in the synchronization

NOTE
If sessions are required, it is recommended to use either an SSO solution or use a sticky session and have customers log in if they get switched to another Publish instance.
CAUTION
Synchronization of the administrators group is not supported, even when user sync is enabled. Instead, a failure to ‘import the diff’ is logged in the error log.
Therefore, when the deployment is a publish farm, if a user is added to or removed from the administrators group, the modification must be manually made on each Publish instance.

Enable User Sync

NOTE
By default, user sync is disabled.
Enabling user sync involves modifying existing OSGi configurations.
No new configurations should be added as a result of enabling user sync.

User sync relies on the author environment to manage the user data distributions, even though the user data is not created on the Author. Much, but not all, of the configuration takes place in the author environment and each step clearly identifies whether it is to be performed on Author or Publish.

Following are the steps necessary to enable user synchronization, followed by a Troubleshooting section:

Prerequisites

  1. If users and user groups have already been created on one Publish instance, it is recommended to manually sync the user data to all Publish instances before configuring and enabling user sync.

Once user sync is enabled, only newly created users and groups are synchronized.

  1. Ensure that the latest code is installed:

1. Apache Sling Distribution Agent - Sync Agents Factory

Enable user sync

  • on author

    • sign in with administrator privileges

    • access the Web Console

    • locate Apache Sling Distribution Agent - Sync Agents Factory

      • select the existing configuration so you can open it for editing (pencil icon)
        Verify name: socialpubsync

      • select the Enabled checkbox

      • select Save

Apache Sling Distribution Agent

2. Create Authorized User

Configure permissions

The authorized user is used in step 3 to configure the Sling distribution on Author.

CAUTION
A new user must be created.
  • The default user assigned is admin.

How to Add ACL

  • access CRXDE Lite

  • select /home node

  • in right pane, select the Access Control tab

  • to add an ACL entry, select the + button

    • Principal: search for user created for user sync
    • Type: Allow
    • Privileges: jcr:all
    • Restrictions rep:glob: */activities/*
    • select OK

  • select Save All

Add ACL Window

See also

3. Adobe Granite Distribution - Encrypted Password Transport Secret Provider

Configure permissions

Once an authorized user–a member of the administrators user group–is created on all Publish instances, the authorized user must be identified on Author as having permission to sync user data from Author to Publish.

  • on Author

    • sign in with administrator privileges

    • access the Web Console

    • locate com.adobe.granite.distribution.core.impl.CryptoDistributionTransportSecretProvider.name

    • to open for edit, select the existing configuration (pencil icon)
      Verify property name: socialpubsync-publishUser

    • set the username and password to the authorized user created on Publish in step 2

      • for example, usersync-admin

Encrypted Password Transport Secret Provider

4. Apache Sling Distribution Agent - Queue Agents Factory

Enable user sync

  • on each Publish instance:

    • sign in with administrator privileges

    • access the Web Console

    • locate Apache Sling Distribution Agent - Queue Agents Factory

      • to open for edit, select the existing configuration (pencil icon)
        Verify Name: socialpubsync-reverse

      • select the Enabled checkbox

      • select Save

    • repeat for each Publish instance

Queue Agents Factory

5. Adobe Social Sync - Diff Observer Factory

Enable group sync

  • on each Publish instance:

    • sign in with administrator privileges

    • access the Web Console

    • locate Adobe Social Sync - Diff Observer Factory

      • to open for edit, select the existing configuration (pencil icon)

        Verify agent name: socialpubsync-reverse

      • select the Enabled checkbox

      • select Save

Diff Observer Factory

6. Apache Sling Distribution Trigger - Scheduled Triggers Factory

(Optional) modify polling interval

By default, the Author polls for changes every 30 seconds. To alter this interval:

  • on Author

    • sign in with administrator privileges

    • access the Web Console

    • locate Apache Sling Distribution Trigger - Scheduled Triggers Factory

      • to open for edit, select the existing configuration (pencil icon)

        • Verify Name: socialpubsync-scheduled-trigger

      • set the Interval in Seconds to the desired interval

      • select Save

Scheduled Triggers Factory

Configure for Multiple Publish Instances

The default configuration is for a single Publish instance. As the reason for enabling user sync is to synchronize multiple Publish instances, such as for a publish farm, the additional Publish instances must be added to the Sync Agents Factory.

7. Apache Sling Distribution Agent - Sync Agents Factory

Add Publish Instances:

Sync Agents Factory

  • Exporter Endpoints
    There should be an exporter endpoint for each Publish instance. For example, if there are 2 Publish instances, localhost:4503 and 4504, there should be two entries:

    • https://localhost:4503/libs/sling/distribution/services/exporters/socialpubsync-reverse
    • https://localhost:4504/libs/sling/distribution/services/exporters/socialpubsync-reverse

  • Importer Endpoints
    There should be an importer endpoint for each Publish instance. For example, if there are 2 Publish instances, localhost:4503 and 4504, there should be two entries:

    • https://localhost:4503/libs/sling/distribution/services/importers/socialpubsync
    • https://localhost:4504/libs/sling/distribution/services/importers/socialpubsync

  • select Save

8. Unique Sling ID

CAUTION
If the Sling ID matches between two or more Publish instances then user group sync fails.

If the Sling ID is the same for multiple Publish instances in a publish farm, then user groups are not synchronized.

To validate that all Sling ID values differ, on each Publish instance:

  1. browse to http://<host>:<port>/system/console/status-slingsettings
  2. check the value of Sling ID

Checking the value of Sling ID

If the Sling ID of a Publish instance matches the Sling ID of any other Publish instance, then:

  1. stop one of the Publish instances that has a matching Sling ID

  2. in the crx-quickstart/launchpad/felix directory

    • search for and delete the file named sling.id.file

      • for example, on a Linux® system:
        rm -i $(find . -type f -name sling.id.file)

      • for example, on a Windows system:
        use windows explorer and search for *sling.id.file*

  3. start the Publish instance

    • on startup it is assigned a new Sling ID

  4. validate that the Sling ID is now unique

Repeat these steps until all Publish instances have a unique Sling ID.

Vault Package Builder Factory

For updates to sync properly, it is necessary to modify the vault package builder for user sync:

  • on each AEM Publish instance

  • access the Web Console

  • locate the Apache Sling Distribution Packaging - Vault Package Builder Factory

    • Builder name: socialpubsync-vlt

  • select the edit icon

  • add two Package Node Filters:

    • /home/users|-.*/.tokens
    • /home/users|-.*/rep:cache

  • policy handling:

    • to overwrite existing rep:policy nodes with new ones, add a third Package Filter:

      • /home/users|+.*/rep:policy

    • to prevent policies from being distributed, set

      • Acl Handling: IGNORE

Vault Package Builder Factory

What Happens When …

User Self-Registers or Edits Profile on Publish

By design, users and profiles created in the publish environment (self-registration) do not appear in the author environment.

When the topology is a publish farm and user sync has been correctly configured, the user and user profile is synchronized across the publish farm using Sling distribution.

Users or User Groups are Created Using Security Console

By design, user data created in the publish environment does not appear in the author environment and conversely.

When the User Administration and Security console is used to add new users in the publish environment, user sync synchronizes the new users and their group membership to other Publish instances, if necessary. User sync also synchronizes user groups created through the security console.

Troubleshooting

How to Take User Sync Offline

To take user sync offline, to remove a Publish instance or manually sync data, the distribution queue must be empty and quiet.

To check the state of the distribution queue:

  • on Author:

    • using CRXDE Lite

      • look for entries in /var/sling/distribution/packages

        • folder nodes named with the pattern distrpackage_*

    • using Package Manager

      • look for pending packages (not yet installed)

        • named with the pattern socialpubsync-vlt*

When the distribution queue is empty, disable user sync:

When tasks are completed, to re-enable user sync:

User Sync Diagnostics

User Sync Diagnostics is a tool that checks the configuration and attempts to identify any problems.

On Author, simply navigate from the main console through Tools, Operations, Diagnosis, User Sync Diagnostics.

Simply entering the User Sync Diagnostics console displays the results.

This is what is displayed when User Synchronization has not been enabled:

Warning that User Sync Diagnostics is not enabled

How To Run Diagnostics for Publish Instances

When the diagnostic is run from the author environment, the pass/fail results include an [INFO] section displaying the list of configured Publish instances for confirmation.

Included in the list is a URL for each Publish instance that runs the diagnostics for that instance. The url param syncUser is appended to the diagnostics URL with its value set to the authorized sync user created in Step 2.

Note: before launching the URL, the authorized sync user must already be signed into that Publish instance.

Diagnostics for Publish Instances

Configuration Improperly Added

When user sync fails to work, the most common problem is that additional configurations were added. Instead, the *existing *default configuration should have been edited.

Following are views of how the edited, default configurations should appear in the Web Console. If more than the one instance appears, the added configuration should be removed.