Customer Scale
Internet Scale Session Management
with Stateless Sessions in OpenAM
Robert Wapshott
Senior Software Develop...
Mobile devices: 7.5 billion
IoT Devices: 4.9 billion
Analysts predict rapid growth
Identity will be at the center
Challeng...
Challenge: Internet Scale
• Elastic Deployment / Cloud
• Load Balancing
• Security
Features like Single Sign-On (SSO) will...
OpenAM: Access Management
OpenAM provides:
• Authentication
• Authorization
• Session
Management
• Single Sign-On
• User P...
Session Management: Stateful
Session management is at the
core of OpenAM:
• Cluster load balancing
• Failover Storage (Ope...
Session Management: Stateless
Stateless Session model
introduced for OpenAM 13:
• Simplified load balancing
• No failover ...
Enabling Stateless Sessions
Optional Feature
Enabled per realm
Shared Signing/Encryption
Copyright © Identity Summit 2015,...
How do Stateless Sessions Work?
• Uses browser Cookie (JWT)
• Session can be Signed
–HMAC Shared Secret
•Session can be En...
Stateless Sessions: Logout
Optional feature
Stores UID in-memory
Stores UID in CTS
Replicated between servers
Copyright © ...
Recommended for Stateless Sessions
Global Deployments
Replicating user Session data between data
centres is a challenge
Fa...
Recommended for Stateless Sessions
Elastic Deployments seen in:
• Retail
• Media
• Entertainment
• Emergency
Server elasti...
REST and Stateless
Copyright © Identity Summit 2015, all rights reserved.
• Increasingly valuable for third party applicat...
Not Recommended for Stateless Sessions
There are situations where Stateless Sessions are not
recommended:
• Session Quota:...
Deployment Characteristics
Copyright © Identity Summit 2015, all rights reserved.
Stateful Sessions (OpenAM 10-13) Statele...
Performance Comparison
Copyright © Identity Summit 2015, all rights reserved.
Test Setup: Stateful
• 2 OpenAM servers
• 2 ...
Performance Test Objective
Session Management
performance comparison
• Sustained duration (10 min)
• 5,000 concurrent user...
Performance Graphs
Copyright © Identity Summit 2015, all rights reserved.
Stateful Sessions
3,000 Login/Second
Stateless S...
Performance Analysis
Expectations:
Stateful faster, in memory Sessions
Stateless processing time slower
Actual Result:
Pro...
Takeaways
• Dramatic growth in connected ‘things’
• OpenAM supports a lot of these use cases
• Tradeoffs exist - no “one s...
Thank You!
Robert Wapshott
Senior Software Developer, ForgeRock
robert.wapshott@forgerock.com
Prochain SlideShare
Chargement dans…5
×

Customer Scale: Stateless Sessions and Managing High-Volume Digital Services

7 887 vues

Publié le

Rob Wapshott, Sr Software Developer, ForgeRock:
When identity moves beyond simple users and web apps to also include devices and things, the
volume of identities to manage grows exponentially. Identity deployments are now asked to support
over a hundred million identities. In this session, Rob will discuss the exploding requirements for
scale and how to meet them.

Publié dans : Technologie
0 commentaire
6 j’aime
Statistiques
Remarques
  • Soyez le premier à commenter

Aucun téléchargement
Vues
Nombre de vues
7 887
Sur SlideShare
0
Issues des intégrations
0
Intégrations
4 909
Actions
Partages
0
Téléchargements
28
Commentaires
0
J’aime
6
Intégrations 0
Aucune incorporation

Aucune remarque pour cette diapositive

Customer Scale: Stateless Sessions and Managing High-Volume Digital Services

  1. 1. Customer Scale Internet Scale Session Management with Stateless Sessions in OpenAM Robert Wapshott Senior Software Developer, ForgeRock robert.wapshott@forgerock.com
  2. 2. Mobile devices: 7.5 billion IoT Devices: 4.9 billion Analysts predict rapid growth Identity will be at the center Challenge: Internet Scale Copyright © Identity Summit 2015, all rights reserved. Estimated 4 connected devices per person by 2020 (source: Strategy Analytics)
  3. 3. Challenge: Internet Scale • Elastic Deployment / Cloud • Load Balancing • Security Features like Single Sign-On (SSO) will be ranked highly Copyright © Identity Summit 2015, all rights reserved. Gartner Predicts Infrastructure Services Will Accelerate Cloud Computing Growth (Source)
  4. 4. OpenAM: Access Management OpenAM provides: • Authentication • Authorization • Session Management • Single Sign-On • User Profiles • Federation Copyright © Identity Summit 2015, all rights reserved.
  5. 5. Session Management: Stateful Session management is at the core of OpenAM: • Cluster load balancing • Failover Storage (OpenDJ) • Session held in server memory • Session persisted for failover Copyright © Identity Summit 2015, all rights reserved. Stateful OpenAM deployment
  6. 6. Session Management: Stateless Stateless Session model introduced for OpenAM 13: • Simplified load balancing • No failover storage required • No in-memory Session • Session stored in cookie Copyright © Identity Summit 2015, all rights reserved. Stateless OpenAM deployment
  7. 7. Enabling Stateless Sessions Optional Feature Enabled per realm Shared Signing/Encryption Copyright © Identity Summit 2015, all rights reserved.
  8. 8. How do Stateless Sessions Work? • Uses browser Cookie (JWT) • Session can be Signed –HMAC Shared Secret •Session can be Encrypted –RSA 256 •Package up in SSO Token (iPlanetDirectoryPro) Copyright © Identity Summit 2015, all rights reserved. Comparison of Stateful and Stateless
  9. 9. Stateless Sessions: Logout Optional feature Stores UID in-memory Stores UID in CTS Replicated between servers Copyright © Identity Summit 2015, all rights reserved.
  10. 10. Recommended for Stateless Sessions Global Deployments Replicating user Session data between data centres is a challenge Failover recovery is complex Stateless Sessions simplifies this problem Copyright © Identity Summit 2015, all rights reserved. Stateful communication: global replication
  11. 11. Recommended for Stateless Sessions Elastic Deployments seen in: • Retail • Media • Entertainment • Emergency Server elasticity suits Stateless Sessions, Cloud is increasingly common Copyright © Identity Summit 2015, all rights reserved.
  12. 12. REST and Stateless Copyright © Identity Summit 2015, all rights reserved. • Increasingly valuable for third party applications • Cookies are not RESTful • Requires dependency on home server • Crosstalk has performance consequence Stateless Sessions for REST users might help
  13. 13. Not Recommended for Stateless Sessions There are situations where Stateless Sessions are not recommended: • Session Quota: N logins on an account allowed • CDSSO: Looks up Session based on restricted token • SAML: Some profiles require stateful Session This will be covered in documentation Copyright © Identity Summit 2015, all rights reserved.
  14. 14. Deployment Characteristics Copyright © Identity Summit 2015, all rights reserved. Stateful Sessions (OpenAM 10-13) Stateless Sessions (OpenAM 13) Memory: Stored in Server memory CPU: Decrypt/Verify Signature Session persists in Database Session persists in Cookie Vertical Scalability Horizontal Scalability Load Balancer: Sticky Load Balancer: Round Robin
  15. 15. Performance Comparison Copyright © Identity Summit 2015, all rights reserved. Test Setup: Stateful • 2 OpenAM servers • 2 OpenDJ servers • Standard failover • External Load Balancer Test Setup: Stateless • 2 OpenAM servers • No failover • Session Signing • External Load Balancer Dell PowerEdge R620
  16. 16. Performance Test Objective Session Management performance comparison • Sustained duration (10 min) • 5,000 concurrent users • Login, validate, logout • Basic Stateless – Signing – No blacklist Copyright © Identity Summit 2015, all rights reserved. Gatling (http://gatling.io)
  17. 17. Performance Graphs Copyright © Identity Summit 2015, all rights reserved. Stateful Sessions 3,000 Login/Second Stateless Session 5,000 Login/Second
  18. 18. Performance Analysis Expectations: Stateful faster, in memory Sessions Stateless processing time slower Actual Result: Process Stateless Session quick Stateful code path obvious factor Copyright © Identity Summit 2015, all rights reserved. Comparison of path through code base
  19. 19. Takeaways • Dramatic growth in connected ‘things’ • OpenAM supports a lot of these use cases • Tradeoffs exist - no “one size fits all” • Enabling new options for scaling • Faster than I expected Copyright © Identity Summit 2015, all rights reserved.
  20. 20. Thank You! Robert Wapshott Senior Software Developer, ForgeRock robert.wapshott@forgerock.com

×