Sharing performance testing findings

Jason B. Rappaport jasonrap at
Fri Apr 5 09:26:08 EDT 2019

This week, we engaged with performance testing of our PeopleSoft system and
I wanted to share our key findings in the event it can help someone else.  I
am summarizing the findings below, so please grant me the liberty to be
slightly off in the description.



Our PeopleSoft system is used by faculty, staff, and students and is
configured to be accessed via web proxies.  The web proxies (2) are load
balanced (round robin, cookie based) and configured as Shibboleth SPs, which
defers authentication to our load balanced (round robin, cookie based)
Shibboleth IDPs (2), which then perform the actual authentication via CAS
(single node, for now) that uses AD.   



During our performance testing, when we tried to authenticate 1,000 users at
5 per second and perform a series of tasks within PeopleSoft we would
encounter a high error rate that our PeopleSoft weblogic and app servers
could not recover from unless we restarted those services.  In digging into
where the errors were being generated, we uncovered the following:

1.	Our two Shibboleth IDPs were targeting the same DCs (in the same
order) for attribute resolution per the attribute-resolver.xml file
2.	Our CAS server was also targeting the same DC for authentication


In essence, the single DC was seeing traffic from three hosts, two for
attribute resolution (IDPs) and one for authentication (CAS) at the same
time resulting in CPU usage from 60% to 100% during our load testing.  


Actions taken:

1.	We changed the order within our Shibboleth IDPs
(attribute-resolver.xml) so the first DC they would hit for attribute
resolution would be different  
2.	We changed the DC that CAS was using for authentication to not be
either DC the Shibboleth IDPs were using for attribute resolution; i.e. a
3rd DC.  



1.	Each DC, when conducting the load test, now operates around 40% CPU
2.	The 3rd DC, the one that CAS is using for authentication, is
operating around 15% CPU usage when conducing the load test



We were tipped off by this post:
td7589479.html  that our IDPs could be a bottleneck if attribute resolution
and/or authentication was taking too long <-Thanks Scott!  


That being said, we still have more work to do as when we perform a load
test with 1,000 users at 10 per second we encounter a high error rate.  We
are hoping to determine how we can configure the system to not error out,
but to resolve gracefully.  


Again, hopefully our findings can help someone else with their


Thanks, Jay 


Jason Rappaport

Identity and Access Management Analyst

Office of Information Technology

Email:   <mailto:jasonrap at> jasonrap at 

Office:  609-258-8464


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5653 bytes
Desc: not available
URL: <>

More information about the users mailing list