General Guidance on IdP Environment Sizing

Boyd, Todd M. tmboyd1 at
Thu Sep 27 16:11:43 EDT 2018

We see 100,000+ logins to our constituent portal on a daily basis (and well beyond that during peak registration of students) on a load-balanced pair of IdP servers pointed to Active Directory (via LDAP). Our directory service is the source of record for authentication and attribute retrieval. Similarly to Scott, we would be able to reduce this to a single server if high availability was not a concern. Due to our tree structure, we have to do global lookups (i.e., not bound to a specific OU), but it hasn't been an impediment thus far.


From: users <users-bounces at> on behalf of Cantor, Scott <cantor.2 at>
Sent: Thursday, September 27, 2018 1:58 PM
To: Shib Users
Subject: Re: General Guidance on IdP Environment Sizing
If the issue is LDAP performance then the sizing in question would be on that side, not the IdP. The IdP spends most of its time signing things, it's incredibly CPU bound.

I do an LDAP lookup per login, though primary authn is Kerberos protocol (much faster than LDAP), but with 200-400,000 logins per day I just have two servers live and could easily handle the load on one (physical) box.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list