The document discusses the challenges of internet-scale session management, focusing on the transition from stateful to stateless sessions in OpenAM. It highlights the benefits of stateless sessions, such as simplified load balancing and reduced complexity in failover recovery, while also noting scenarios where stateful sessions may still be necessary. Performance comparisons indicate that stateless sessions can handle more logins per second than stateful sessions, demonstrating the advantages of this approach in modern, elastic deployments.

1. Customer Scale
Internet Scale Session Management
with Stateless Sessions in OpenAM
Robert Wapshott
Senior Software Developer, ForgeRock
robert.wapshott@forgerock.com

2. Mobile devices: 7.5 billion
IoT Devices: 4.9 billion
Analysts predict rapid growth
Identity will be at the center
Challenge: Internet Scale
Copyright © Identity Summit 2015, all rights reserved.
Estimated 4 connected devices per person by 2020 (source: Strategy Analytics)

3. Challenge: Internet Scale
• Elastic Deployment / Cloud
• Load Balancing
• Security
Features like Single Sign-On (SSO) will
be ranked highly
Copyright © Identity Summit 2015, all rights reserved.
Gartner Predicts Infrastructure Services Will Accelerate Cloud Computing Growth (Source)

4. OpenAM: Access Management
OpenAM provides:
• Authentication
• Authorization
• Session
Management
• Single Sign-On
• User Profiles
• Federation
Copyright © Identity Summit 2015, all rights reserved.

5. Session Management: Stateful
Session management is at the
core of OpenAM:
• Cluster load balancing
• Failover Storage (OpenDJ)
• Session held in server memory
• Session persisted for failover
Copyright © Identity Summit 2015, all rights reserved.
Stateful OpenAM deployment

6. Session Management: Stateless
Stateless Session model
introduced for OpenAM 13:
• Simplified load balancing
• No failover storage required
• No in-memory Session
• Session stored in cookie
Copyright © Identity Summit 2015, all rights reserved.
Stateless OpenAM deployment

7. Enabling Stateless Sessions
Optional Feature
Enabled per realm
Shared Signing/Encryption
Copyright © Identity Summit 2015, all rights reserved.

8. How do Stateless Sessions Work?
• Uses browser Cookie (JWT)
• Session can be Signed
–HMAC Shared Secret
•Session can be Encrypted
–RSA 256
•Package up in SSO Token
(iPlanetDirectoryPro)
Copyright © Identity Summit 2015, all rights reserved.
Comparison of Stateful and Stateless

9. Stateless Sessions: Logout
Optional feature
Stores UID in-memory
Stores UID in CTS
Replicated between servers
Copyright © Identity Summit 2015, all rights reserved.

10. Recommended for Stateless Sessions
Global Deployments
Replicating user Session data between data
centres is a challenge
Failover recovery is complex
Stateless Sessions simplifies this problem
Copyright © Identity Summit 2015, all rights reserved.
Stateful communication: global replication

11. Recommended for Stateless Sessions
Elastic Deployments seen in:
• Retail
• Media
• Entertainment
• Emergency
Server elasticity suits Stateless
Sessions, Cloud is increasingly
common
Copyright © Identity Summit 2015, all rights reserved.

12. REST and Stateless
Copyright © Identity Summit 2015, all rights reserved.
• Increasingly valuable for third party applications
• Cookies are not RESTful
• Requires dependency on home server
• Crosstalk has performance consequence
Stateless Sessions for REST users might help

13. Not Recommended for Stateless Sessions
There are situations where Stateless Sessions are not
recommended:
• Session Quota: N logins on an account allowed
• CDSSO: Looks up Session based on restricted token
• SAML: Some profiles require stateful Session
This will be covered in documentation
Copyright © Identity Summit 2015, all rights reserved.

14. Deployment Characteristics
Copyright © Identity Summit 2015, all rights reserved.
Stateful Sessions (OpenAM 10-13) Stateless Sessions (OpenAM 13)
Memory: Stored in Server memory CPU: Decrypt/Verify Signature
Session persists in Database Session persists in Cookie
Vertical Scalability Horizontal Scalability
Load Balancer: Sticky Load Balancer: Round Robin

15. Performance Comparison
Copyright © Identity Summit 2015, all rights reserved.
Test Setup: Stateful
• 2 OpenAM servers
• 2 OpenDJ servers
• Standard failover
• External Load Balancer
Test Setup: Stateless
• 2 OpenAM servers
• No failover
• Session Signing
• External Load Balancer
Dell PowerEdge R620

16. Performance Test Objective
Session Management
performance comparison
• Sustained duration (10 min)
• 5,000 concurrent users
• Login, validate, logout
• Basic Stateless
– Signing
– No blacklist
Copyright © Identity Summit 2015, all rights reserved.
Gatling (http://gatling.io)

17. Performance Graphs
Copyright © Identity Summit 2015, all rights reserved.
Stateful Sessions
3,000 Login/Second
Stateless Session
5,000 Login/Second

18. Performance Analysis
Expectations:
Stateful faster, in memory Sessions
Stateless processing time slower
Actual Result:
Process Stateless Session quick
Stateful code path obvious factor
Copyright © Identity Summit 2015, all rights reserved.
Comparison of path through code base

19. Takeaways
• Dramatic growth in connected ‘things’
• OpenAM supports a lot of these use cases
• Tradeoffs exist - no “one size fits all”
• Enabling new options for scaling
• Faster than I expected
Copyright © Identity Summit 2015, all rights reserved.

20. Thank You!
Robert Wapshott
Senior Software Developer, ForgeRock
robert.wapshott@forgerock.com