Embed Size (px)
Citation preview
Customer ScaleInternet Scale Session Management
with Stateless Sessions in OpenAM
Andy HallOpenAM Product Manager, ForgeRock
Mobile devices: 7.5 billion
IoT Devices: 4.9 billion
Analysts predict rapid growth
Identity will be at the center
Challenge: Internet Scale
Copyright © Identity Summit 2015, all rights reserved.
Estimated 4 connected devices per person by 2020 (source: Strategy Analytics)
Challenge: Internet Scale
• Elastic Deployment / Cloud
• Load Balancing
• Security
Features like Single Sign-On (SSO) will
be ranked highly
Copyright © Identity Summit 2015, all rights reserved.
Gartner Predicts Infrastructure Services Will Accelerate Cloud Computing Growth (Source)
OpenAM: Access Management
OpenAM provides:
• Authentication
• Authorization
• Session
Management
• Single Sign-On
• User Profiles
• Federation
Copyright © Identity Summit 2015, all rights reserved.
Session Management: Stateful
Session management is at the
core of OpenAM:
• Cluster load balancing
• Failover Storage (OpenDJ)
• Session held in server memory
• Session persisted for failover
Copyright © Identity Summit 2015, all rights reserved.
Stateful OpenAM deployment
Session Management: Stateless
Stateless Session model
introduced for OpenAM 13:
• Simplified load balancing
• No failover storage required
• No in-memory Session
• Session stored in cookie
Copyright © Identity Summit 2015, all rights reserved.
Stateless OpenAM deployment
Enabling Stateless Sessions
Optional Feature
Enabled per realm
Shared Signing/Encryption
Copyright © Identity Summit 2015, all rights reserved.
How do Stateless Sessions Work?
• Uses browser Cookie (JWT)
• Session can be Signed
–HMAC Shared Secret
•Session can be Encrypted
–RSA 256
•Package up in SSO Token
(iPlanetDirectoryPro)
Copyright © Identity Summit 2015, all rights reserved.
Comparison of Stateful and Stateless
Stateless Sessions: Logout
Optional feature
Stores UID in-memory
Stores UID in CTS
Replicated between servers
Copyright © Identity Summit 2015, all rights reserved.
Recommended for Stateless Sessions
Global Deployments
Replicating user Session data between data
centres is a challenge
Failover recovery is complex
Stateless Sessions simplifies this problem
Copyright © Identity Summit 2015, all rights reserved.
Stateful communication: global replication
Recommended for Stateless Sessions
Elastic Deployments seen in:
• Retail
• Media
• Entertainment
• Emergency
Server elasticity suits Stateless
Sessions, Cloud is increasingly
commonCopyright © Identity Summit 2015, all rights reserved.
REST and Stateless
Copyright © Identity Summit 2015, all rights reserved.
• Increasingly valuable for third party applications
• Cookies are not RESTful
• Requires dependency on home server
• Crosstalk has performance consequence
Stateless Sessions for REST users might help
Not Recommended for Stateless Sessions
There are situations where Stateless Sessions are not
recommended:
• Session Quota: N logins on an account allowed
• CDSSO: Looks up Session based on restricted token
• SAML: Some profiles require stateful Session
This will be covered in documentation
Copyright © Identity Summit 2015, all rights reserved.
Deployment Characteristics
Copyright © Identity Summit 2015, all rights reserved.
Stateful Sessions (OpenAM 10-13) Stateless Sessions (OpenAM 13)
Memory: Stored in Server memory CPU: Decrypt/Verify Signature
Session persists in Database Session persists in Cookie
Vertical Scalability Horizontal Scalability
Load Balancer: Sticky Load Balancer: Round Robin
Performance Comparison
Copyright © Identity Summit 2015, all rights reserved.
Test Setup: Stateful
• 2 OpenAM servers
• 2 OpenDJ servers
• Standard failover
• External Load Balancer
Test Setup: Stateless
• 2 OpenAM servers
• No failover
• Session Signing
• External Load BalancerDell PowerEdge R620
Performance Test Objective
Session Management
performance comparison
• Sustained duration (10 min)
• 5,000 concurrent users
• Login, validate, logout
• Basic Stateless
– Signing
– No blacklist
Copyright © Identity Summit 2015, all rights reserved.
Gatling (http://gatling.io)
Performance Graphs
Copyright © Identity Summit 2015, all rights reserved.
Stateful Sessions
3,000 Login/Second
Stateless Session
5,000 Login/Second
Performance Analysis
Expectations:
Stateful faster, in memory Sessions
Stateless processing time slower
Actual Result:
Process Stateless Session quick
Stateful code path obvious factor
Copyright © Identity Summit 2015, all rights reserved.
Comparison of path through code base
Takeaways
• Dramatic growth in connected ‘things’
• OpenAM supports a lot of these use cases
• Tradeoffs exist - no “one size fits all”
• Enabling new options for scaling
• Faster than I expected
Copyright © Identity Summit 2015, all rights reserved.
