This section contains the following topics:
How to Estimate a Sustained Authentication Rate
Estimate a Peak Authentication Rate
How to Estimate a Sustained Authorization Rate
Estimate a Peak Authorization Rate
Planning a CA SiteMinder® deployment with performance in mind is the first step to maintaining high enterprise availability and performance standards. A good approach is to estimate the number of expected authentications and authorizations CA SiteMinder® must handle per application. The following general factors influence CA SiteMinder® performance:
Note: Although a number of other factors can influence CA SiteMinder® performance, such as performance tuning and network bandwidth, the previous factors can help you make informed decisions when implementing Policy Servers and Agents, and when determining if existing user stores can handle the anticipated CA SiteMinder® workload.
The following graphic illustrates how authentication and authorization rates fluctuate throughout the day, are sustained for a specific period, and peak within that period:
Note: Authenticating and authorizing users results in a number of reads, and if Password Policies are enabled, writes, to a user store. Determining sustained and peak rates helps you determine the load under which your user stores must operate to service Policy Server requests.
The purpose of the following use case is to illustrate how a fictitious organization approaches capacity planning by modeling the usage of their application. The use case is referenced throughout this chapter for examples.
The company is planning to deploy CA SiteMinder®. The company has 100,000 users in a single user store. Password Services is enabled for this store.
Some users log into the portal application once a day, while other users login as much as three times per day.
Estimating the sustained authentication rate of an application is the process of determining:
Complete the following steps to estimate the sustained authentication rate for an application:
What is the estimated number of daily authentications for the application?
The number of users directly affect daily authentications (authentication load). When users log into the application, CA SiteMinder® authenticates them. Therefore, think of the authentication load of the application as the total logins per day.
Note: When determining the authentication load, we recommend beginning with an evaluation interval of 24 hours. However, depending on the requirements of your enterprise, you can compare your daily results over a period of weeks or months to gain a better understanding of usage throughout the year.
All users logging into the application each day is unlikely, so estimating total logins begins with determining the percentage of users that log in once a day, which the following represents:
(total_users * percentage_users) * (number_of_logins) = daily_logins
Represents the total number of users with access to the application.
Represents the percentage of users who log in the same number of times per day.
Represents the number of times the particular set of users login.
Represents the number of logins the particular set of users creates.
Example 1: The company has 100,000 users, 75 percent of which log in once a day.
(100,000 * 0.75) x (1) = 75,000 logins
However, some users logging into the application two or more times a day is more likely.
Example 2: The company has 100,000 users, 5 percent of which log in twice a day and 1 percent of which log in three times a day.
(100,000 * 0.05) x (2) = 10,000 logins
(100,000 * 0.01) x (3) = 3,000 logins
The total logins per day are the sum of each of the login calculations.
Example 3: The company has 100,000 users:
The authentication load for the portal application is 88,000 logins.
Note: The percentage of users logging in does not have to equal 100 percent because all users will not log into the application each day.
The following table illustrates each of the previous examples:
|
Total Users |
Percent of Total Users |
Logins Per Day |
Logins |
|---|---|---|---|
|
100,000 |
75 |
1 |
75,000 |
|
100,000 |
5 |
2 |
10,000 |
|
100,000 |
1 |
3 |
3,000 |
|
Authentication Load |
88,0000 |
||
The company uses the authentication load to estimate the sustained authentication rate.
What is the sustained authentication rate for the application?
The sustained authentication rate is based on the authentication load. Specifically, when and at what rate the authentications occur. The chance that the authentication load is uniformly spread across your business day is unlikely. Rather, the rate at which requests occur fluctuates, remaining between the lowest and highest (peak) levels for a sustained period. Estimating the sustained authentication rate is the process of identifying a sustained period during which the system is servicing an average amount of authentication requests.
When estimating a sustained authentication rate, we recommend using the daily authentication load to determine:
Note: We recommend beginning with an evaluation period of 24 hours, broken down into one-hour increments. However, depending on the requirements of your enterprise, you can compare your daily results over a period of weeks or months to gain a better understanding of usage throughout the year.
The following figure is an example of these metrics:
Identifying these metrics helps you to estimate the number of authentication requests, per second, that CA SiteMinder® must service to maintain the average rate at which users authenticate, which the following represents:
(authentication_load * percentage_of_authentication_requests) / number_of_sustained_hours / 3600 = sustained_authentication_rate
Represents the number of daily authentications for the application.
Represents the percentage of authentication requests that occur when the system is operating at sustained levels.
Example: If the authentication load is 50,000 logins, and 32,000 logins occur during the sustained period, then the value is 64percent (0.64)
Represents the number of hours in which the system is operating at the sustained level.
Note: 3,600 represents the number of seconds in an hour.
Represents the number of authentication requests, per second, that CA SiteMinder® must service during the period of sustained activity.
Example: Estimate the Sustained Authentication Rate
The company has determined that their application portal has an authentication load of 88,000 logins. The application portal is available to customers 24 hours a day, seven days a week. Using system activity reports to break down a typical day results in the following metrics:
(88,000 * 0.51) / 5 / 3600 = 2.49 authentications per second.
The portal application has a sustained authentication rate of 2.49 authentications per second.
What is the peak authentication rate for the application?
The peak authentication rate is based on the sustained authentication rate, specifically, when and at what rate the system is operating at peak levels. Estimating the peak authentication rate is the process of identifying when the system is servicing the highest level of authentication requests.
When estimating the peak authentication rate, we recommend using the metrics you gathered when determining the sustained authentication rate to determine:
The following figure is an example of these metrics:
Identifying these metrics helps you to estimate the number of authentication requests, per second, that CA SiteMinder® must service to maintain the peak rate at which users authenticate, which the following represents:
(authentication_load x percentage_of_transactions) / number_of_hours / 3600 = peak_authentication_rate
Note: This rate is based on the single busiest hour. There can be periods when the peak authentication rate exceeds the hourly calculation.
Represents the number of daily authentications for the application.
Represents the percentage of transactions that occur when the system is operating at peak levels.
Represents the number of hours in which the system operates at peak levels.
Note: 3,600 represents the number of seconds in an hour.
Represents the peak authentication rate for the application.
Example: Estimate the Peak Authentication Rate
The company has determined that their portal application has a daily authentication load of 88,000 logins. System activity reports detail that during the single busiest hour of the day 18,000 authentication requests occur. This number represents approximately 20 percent of the authentication load:
18,000 / 1 / 3600 = 5 authentications per second
The portal application has a peak authentication rate of five authentications per second.
Note: This example is based on the single busiest hour. There can be periods when the peak authentication rate during the hour exceeds five authentications per second.
Estimating the sustained authorization rate for the application is the process of determining:
Complete the following steps to estimate the peak authorization rate for an application:
What is the estimated number of daily authorizations for the application?
The number of total logins (authentication load) and the number of page "hits" each authenticated user makes directly affects the number of daily authorizations (authorization load). A web page "hit" usually requires an authorization. Therefore, think of the authorization load of an application as total authorizations per day.
Note: When estimating the authorization load, we recommend that you begin with an evaluation interval of 24 hours. However, depending on the requirements of your enterprise, you can compare your daily results over a period of weeks or months to gain a better understanding usage throughout the year.
All users requesting the same number of pages per login is unlikely, so calculating total authorizations begins with determining the percentage of logins that generate one page hit, which the following represents:
authentication_load * percentage_of_authenticated_users * page_visits = daily_authorizations
Represents the estimated number of daily authentications for the application.
Represents the percentage of authenticated users that visit the same number of pages after login.
Represents the number of pages a particular set of authenticated users visits after login.
Note: A page can result in multiple GET/POST because it contains multiple objects. The total number of authorizations per page is the number of GET requests, plus the number of POST requests, minus the number of extensions the Web Agent ignores. For the purpose of this guide, each of the following examples assume that a page visit generates one GET/POST. For more information about configuring a Web Agent to allow access to specific resources types without checking policies, see the Web Agent Configuration Guide.
Represents the number of authorizations a particular set of authenticated users require.
Example 1: Estimate Daily Authorizations
As detailed in Estimate Daily Authentications, the portal application has an authentication load of 88,000 logins. Twenty-five percent of which visit one page after login:
88,000 * 0.25 * 1 = 22,000 authorizations
However, some logins generating more than one page hit is more likely.
Example 2: Estimate Daily Authorizations
The portal application has an authentication load of 88,000 logins:
88,000 * 0.5 * 10 = 440,000 authorizations
88,000 * 0.25 * 15 = 330,000 authorizations
The total authorizations per day (authorization load) is the sum of each of the authorization calculations.
Example 3: Estimate Daily Authorizations
The portal application has an authentication load of 88,000 logins:
Note: The percentage of authenticated users must equal 100 percent because each authenticated user generates at least one page hit.
Therefore, the authorization load for the portal application is 792,000.
The following table illustrates each of the previous examples:
|
Page Hits |
Percent of Total Logins |
Authentication Load |
Authorizations |
|---|---|---|---|
|
1 |
25 |
88,000 |
22,000 |
|
10 |
50 |
88,000 |
440,000 |
|
15 |
25 |
88,000 |
330,000 |
|
Authorization Load |
792,000 |
||
The company uses the authorization load to estimate the sustained authorization rate.
What is the sustained authorization rate for the application?
The sustained authorization rate is based on the authorization load, specifically, when and at what rate the authorizations occur. The chance that the authorization load is uniformly spread across your business day is unlikely. Rather, the rate at which requests occur fluctuates, remaining between the lowest and highest (peak) levels for a sustained period. Estimating the sustained authorization rate is the process of identifying a sustained period during which the system is servicing an average amount of authorization requests.
When estimating a sustained authorization rate, we recommend that you use the daily authorization load to determine:
Note: We recommend beginning with an evaluation period of 24 hours, broken down into one-hour increments. However, depending on the requirements of your enterprise, you can compare your daily results over a period of weeks or months to gain a better understanding of usage throughout the year.
The following figure is an example of these metrics:
Identifying these metrics helps you to estimate the number of authorization requests, per second, that CA SiteMinder® must service to maintain the average rate at which authorization requests occur, which the following represents:
(authorization_load * percentage_of_authorization_requests) / number_sustained_hours / 3600 = sustained_authorization_rate
Represents the number of daily authorizations for the application.
Represents the percentage of authorization requests that occur when the system is operating at sustained levels.
Example: If the authorization load is 500,000 requests, and 320,000 requests occur during the sustained period, then the value is 64 percent (0.64)
Represents the number of hours in which the system is operating at the sustained level.
Note: 3,600 represents the number of seconds in an hour.
Represents the number of authorization requests, per second, that CA SiteMinder® must service during the period of sustained activity.
Example: Estimate a Sustained Authorization Rate
As detailed in Estimate Daily Authorizations, the portal application has an authorization load of 792,000. The application portal is available to customers 24 hours a day, seven days a week. Using system activity reports to break down a typical day results in the following metrics:
(762,000 * 0.47) / 5 / 3600 = 19.90 authorizations per second
The portal application has a sustained authorization rate of 19.90 authorizations per second.
What is the peak authentication rate for the application?
The peak authorization rate is based on the sustained authorization rate, specifically, when and at what rate the system is operating at peak levels. Estimating the peak authorization rate is the process of identifying when the system is servicing the highest level of authorization requests.
When estimating the peak authorization rate, we recommend using the metrics that you gathered when determining the sustained authorization rate to determine:
The following figure is an example of these metrics:
Identifying these metrics helps you to estimate the number of authentication requests, per second, that CA SiteMinder® must service to maintain the peak rate at which users authenticate, which the following represents:
(authorization_load * percentage_of_transactions) / number_of_hours / 3600 = peak_authorization_rate
Note: This rate is based on the single busiest hour. There can be times when the peak authorization rate exceeds the hourly calculation.
Represents the number of daily authorizations for the application.
Represents the percentage of transactions that occur when the system is operating at peak levels.
Represents the number of hours in which the system is operating at peak levels.
Represents the peak authorization rate for the application.
Example: Estimate a Peak Authorization Rate
As detailed in Estimate Daily Authorizations, the portal application has an authorization load of 792,000. System activity reports detail that during the single busiest hour of the day, 260,000 authorization requests occur. This number represents approximately 33 percent of the authorization load.
(792,000 * 0.33) / 1 / 3600 = 72.6 authorizations per second
The portal application has a peak authentication rate of 72.6 authorizations per second.
|
Copyright © 2013 CA.
All rights reserved.
|
|