customer scale: stateless sessions and managing high-volume digital services
TRANSCRIPT
Customer ScaleInternet Scale Session Managementwith Stateless Sessions in OpenAM
Robert WapshottSenior Software Developer, ForgeRock
Mobile devices: 7.5 billionIoT Devices: 4.9 billion
Analysts predict rapid growth
Identity will be at the center
Challenge: Internet Scale
Copyright © Identity Summit 2015, all rights reserved.
Estimated 4 connected devices per person by 2020 (source: Strategy Analytics)
Challenge: Internet Scale
• Elastic Deployment / Cloud• Load Balancing• Security
Features like Single Sign-On (SSO) will be ranked highly
Copyright © Identity Summit 2015, all rights reserved.
Gartner Predicts Infrastructure Services Will Accelerate Cloud Computing Growth (Source)
OpenAM: Access ManagementOpenAM provides:• Authentication• Authorization• Session
Management• Single Sign-On• User Profiles• Federation
Copyright © Identity Summit 2015, all rights reserved.
Session Management: Stateful
Session management is at the core of OpenAM:
• Cluster load balancing• Failover Storage (OpenDJ)• Session held in server memory• Session persisted for failover
Copyright © Identity Summit 2015, all rights reserved.
Stateful OpenAM deployment
Session Management: Stateless
Stateless Session model introduced for OpenAM 13:
• Simplified load balancing• No failover storage required• No in-memory Session• Session stored in cookie
Copyright © Identity Summit 2015, all rights reserved.
Stateless OpenAM deployment
Enabling Stateless Sessions
Optional Feature
Enabled per realm
Shared Signing/Encryption
Copyright © Identity Summit 2015, all rights reserved.
How do Stateless Sessions Work?
• Uses browser Cookie (JWT)• Session can be Signed
–HMAC Shared Secret•Session can be Encrypted
–RSA 256•Package up in SSO Token (iPlanetDirectoryPro)
Copyright © Identity Summit 2015, all rights reserved.
Comparison of Stateful and Stateless
Stateless Sessions: LogoutOptional feature
Stores UID in-memory
Stores UID in CTS
Replicated between servers
Copyright © Identity Summit 2015, all rights reserved.
Recommended for Stateless SessionsGlobal Deployments
Replicating user Session data between data centres is a challenge
Failover recovery is complex
Stateless Sessions simplifies this problem
Copyright © Identity Summit 2015, all rights reserved.
Stateful communication: global replication
Recommended for Stateless SessionsElastic Deployments seen in:• Retail• Media• Entertainment• Emergency
Server elasticity suits Stateless Sessions, Cloud is increasingly common
Copyright © Identity Summit 2015, all rights reserved.
REST and Stateless
Copyright © Identity Summit 2015, all rights reserved.
• Increasingly valuable for third party applications• Cookies are not RESTful• Requires dependency on home server• Crosstalk has performance consequence
Stateless Sessions for REST users might help
Not Recommended for Stateless Sessions
There are situations where Stateless Sessions are not recommended:
• Session Quota: N logins on an account allowed• CDSSO: Looks up Session based on restricted token• SAML: Some profiles require stateful Session
This will be covered in documentation
Copyright © Identity Summit 2015, all rights reserved.
Deployment Characteristics
Copyright © Identity Summit 2015, all rights reserved.
Stateful Sessions (OpenAM 10-13) Stateless Sessions (OpenAM 13)
Memory: Stored in Server memory CPU: Decrypt/Verify Signature
Session persists in Database Session persists in Cookie
Vertical Scalability Horizontal Scalability
Load Balancer: Sticky Load Balancer: Round Robin
Performance Comparison
Copyright © Identity Summit 2015, all rights reserved.
Test Setup: Stateful• 2 OpenAM servers• 2 OpenDJ servers• Standard failover• External Load Balancer
Test Setup: Stateless• 2 OpenAM servers• No failover• Session Signing• External Load BalancerDell PowerEdge R620
Performance Test ObjectiveSession Management performance comparison
• Sustained duration (10 min)• 5,000 concurrent users• Login, validate, logout• Basic Stateless
– Signing– No blacklist
Copyright © Identity Summit 2015, all rights reserved.
Gatling (http://gatling.io)
Performance Graphs
Copyright © Identity Summit 2015, all rights reserved.
Stateful Sessions3,000 Login/Second
Stateless Session5,000 Login/Second
Performance AnalysisExpectations:Stateful faster, in memory SessionsStateless processing time slower
Actual Result:Process Stateless Session quickStateful code path obvious factor
Copyright © Identity Summit 2015, all rights reserved.
Comparison of path through code base
Takeaways• Dramatic growth in connected ‘things’• OpenAM supports a lot of these use cases• Tradeoffs exist - no “one size fits all”• Enabling new options for scaling• Faster than I expected
Copyright © Identity Summit 2015, all rights reserved.
