Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Customer Scale: Stateless Sessions and Managing High-Volume Digital Services

12,140 views

Published on

Rob Wapshott, Sr Software Developer, ForgeRock:
When identity moves beyond simple users and web apps to also include devices and things, the
volume of identities to manage grows exponentially. Identity deployments are now asked to support
over a hundred million identities. In this session, Rob will discuss the exploding requirements for
scale and how to meet them.

Published in: Technology
  • Be the first to comment

Customer Scale: Stateless Sessions and Managing High-Volume Digital Services

  1. 1. Customer Scale Internet Scale Session Management with Stateless Sessions in OpenAM Robert Wapshott Senior Software Developer, ForgeRock robert.wapshott@forgerock.com
  2. 2. Mobile devices: 7.5 billion IoT Devices: 4.9 billion Analysts predict rapid growth Identity will be at the center Challenge: Internet Scale Copyright © Identity Summit 2015, all rights reserved. Estimated 4 connected devices per person by 2020 (source: Strategy Analytics)
  3. 3. Challenge: Internet Scale • Elastic Deployment / Cloud • Load Balancing • Security Features like Single Sign-On (SSO) will be ranked highly Copyright © Identity Summit 2015, all rights reserved. Gartner Predicts Infrastructure Services Will Accelerate Cloud Computing Growth (Source)
  4. 4. OpenAM: Access Management OpenAM provides: • Authentication • Authorization • Session Management • Single Sign-On • User Profiles • Federation Copyright © Identity Summit 2015, all rights reserved.
  5. 5. Session Management: Stateful Session management is at the core of OpenAM: • Cluster load balancing • Failover Storage (OpenDJ) • Session held in server memory • Session persisted for failover Copyright © Identity Summit 2015, all rights reserved. Stateful OpenAM deployment
  6. 6. Session Management: Stateless Stateless Session model introduced for OpenAM 13: • Simplified load balancing • No failover storage required • No in-memory Session • Session stored in cookie Copyright © Identity Summit 2015, all rights reserved. Stateless OpenAM deployment
  7. 7. Enabling Stateless Sessions Optional Feature Enabled per realm Shared Signing/Encryption Copyright © Identity Summit 2015, all rights reserved.
  8. 8. How do Stateless Sessions Work? • Uses browser Cookie (JWT) • Session can be Signed –HMAC Shared Secret •Session can be Encrypted –RSA 256 •Package up in SSO Token (iPlanetDirectoryPro) Copyright © Identity Summit 2015, all rights reserved. Comparison of Stateful and Stateless
  9. 9. Stateless Sessions: Logout Optional feature Stores UID in-memory Stores UID in CTS Replicated between servers Copyright © Identity Summit 2015, all rights reserved.
  10. 10. Recommended for Stateless Sessions Global Deployments Replicating user Session data between data centres is a challenge Failover recovery is complex Stateless Sessions simplifies this problem Copyright © Identity Summit 2015, all rights reserved. Stateful communication: global replication
  11. 11. Recommended for Stateless Sessions Elastic Deployments seen in: • Retail • Media • Entertainment • Emergency Server elasticity suits Stateless Sessions, Cloud is increasingly common Copyright © Identity Summit 2015, all rights reserved.
  12. 12. REST and Stateless Copyright © Identity Summit 2015, all rights reserved. • Increasingly valuable for third party applications • Cookies are not RESTful • Requires dependency on home server • Crosstalk has performance consequence Stateless Sessions for REST users might help
  13. 13. Not Recommended for Stateless Sessions There are situations where Stateless Sessions are not recommended: • Session Quota: N logins on an account allowed • CDSSO: Looks up Session based on restricted token • SAML: Some profiles require stateful Session This will be covered in documentation Copyright © Identity Summit 2015, all rights reserved.
  14. 14. Deployment Characteristics Copyright © Identity Summit 2015, all rights reserved. Stateful Sessions (OpenAM 10-13) Stateless Sessions (OpenAM 13) Memory: Stored in Server memory CPU: Decrypt/Verify Signature Session persists in Database Session persists in Cookie Vertical Scalability Horizontal Scalability Load Balancer: Sticky Load Balancer: Round Robin
  15. 15. Performance Comparison Copyright © Identity Summit 2015, all rights reserved. Test Setup: Stateful • 2 OpenAM servers • 2 OpenDJ servers • Standard failover • External Load Balancer Test Setup: Stateless • 2 OpenAM servers • No failover • Session Signing • External Load Balancer Dell PowerEdge R620
  16. 16. Performance Test Objective Session Management performance comparison • Sustained duration (10 min) • 5,000 concurrent users • Login, validate, logout • Basic Stateless – Signing – No blacklist Copyright © Identity Summit 2015, all rights reserved. Gatling (http://gatling.io)
  17. 17. Performance Graphs Copyright © Identity Summit 2015, all rights reserved. Stateful Sessions 3,000 Login/Second Stateless Session 5,000 Login/Second
  18. 18. Performance Analysis Expectations: Stateful faster, in memory Sessions Stateless processing time slower Actual Result: Process Stateless Session quick Stateful code path obvious factor Copyright © Identity Summit 2015, all rights reserved. Comparison of path through code base
  19. 19. Takeaways • Dramatic growth in connected ‘things’ • OpenAM supports a lot of these use cases • Tradeoffs exist - no “one size fits all” • Enabling new options for scaling • Faster than I expected Copyright © Identity Summit 2015, all rights reserved.
  20. 20. Thank You! Robert Wapshott Senior Software Developer, ForgeRock robert.wapshott@forgerock.com

×