General Guidance on IdP Environment Sizing

Jim Fox fox at washington.edu
Thu Sep 27 19:22:19 EDT 2018 

On most of our logins we do a kerberos password check, a general lookup of LDAP information, a group lookup 
(for memberOf attribute), and often some other API lookups.

At our busiest we can see 15-20 logins per second.  I did some testing and I 
think one of our IdP hosts can handle at most 8-10 logins/second.  So we'd need at least three 
for our busy times.  We also do GR testing by shutting off services in one or more of our 
data centers -- although not at the peak times.  But we need to support a more common high load (say, 10/sec) 
in each of our data centers.

I generally prefer having more than I need rather than fewer than I need.

Jim

On Thu, 27 Sep 2018, Boyd, Todd M. wrote:

> Date: Thu, 27 Sep 2018 13:11:43
> From: "Boyd, Todd M." <tmboyd1 at ccis.edu>
> To: Shib Users <users at shibboleth.net>
> Reply-To: Shib Users <users at shibboleth.net>
> Subject: Re: General Guidance on IdP Environment Sizing
> 
> We see 100,000+ logins to our constituent portal on a daily basis (and well beyond that during peak registration of students) on a load-balanced pair of IdP servers pointed to Active Directory (via LDAP). Our directory service is the source of record for authentication and attribute retrieval. Similarly to Scott, we would be able to reduce this to a single server if high availability was not a concern. Due to our tree structure, we have to do global lookups (i.e., not bound to a specific OU), but it hasn't been an impediment thus far.
>
> -Todd
>
>
> From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott <cantor.2 at osu.edu>
> Sent: Thursday, September 27, 2018 1:58 PM
> To: Shib Users
> Subject: Re: General Guidance on IdP Environment Sizing
>  
> If the issue is LDAP performance then the sizing in question would be on that side, not the IdP. The IdP spends most of its time signing things, it's incredibly CPU bound.
>
> I do an LDAP lookup per login, though primary authn is Kerberos protocol (much faster than LDAP), but with 200-400,000 logins per day I just have two servers live and could easily handle the load on one (physical) box.
>
> -- Scott
>
>
> -- 
> For Consortium Member technical support, see  https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
> -- 
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>

More information about the users mailing list