references to CAS production setups

Kaiser

unread,

Jul 9, 2019, 5:10:07 AM7/9/19

to CAS Community

Greetings, CAS community

my customer considers using CAS as public OpenID server, since it is feature-reach and mature

however, the loads are quite high

a dataset of 5M+ identities and 1K+ logins per second is expected as peak load sustained for maybe an hour or so

this all may potentially grow to 3x-5x that size

CAS architecture is inherently non-reactive and thread-blocking all the way, so there are some concerns about performance

the impression so far is that CAS is primarily used for extranets in academic world, not for wider public audience (aka internets)

with some googling around, there was only this 6-years-old page found

https://apereo.atlassian.net/wiki/spaces/CAS/pages/102927127/CAS+Production+Set+Ups

wondering if there's a newer version somewhere...

or maybe someone here can share a success story about production CAS installation running at the scale of several million identities and thousands logins per second?

many thanks in advance for your reaction!

Andy Ng

unread,

Jul 9, 2019, 9:02:05 AM7/9/19

to CAS Community

Hi Kaiser,

Well, I might not be the best person to speak for high load, since our CAS 5 expected stress level is much lower than yours. However, would still like to make some comment:

> CAS architecture is inherently non-reactive and thread-blocking all the way

I am pretty sure most core component of CAS is multi-thread enabled, where do you get the info that CAS is thread-blocking all the way?

I have just look back and found one of my PR which fix a thread related issue: https://github.com/apereo/cas/pull/3679, so pretty sure CAS is mult-threaded.

> CAS is primarily used for extranets in academic world, not for wider public audience (aka internets)

Our CAS is internet facing :)

> https://apereo.atlassian.net/wiki/spaces/CAS/pages/102927127/CAS+Production+Set+Ups

Here's a thing... The server listed are CAS 2 and 3, which don't have OpenID enabled. So if you want to check the stress level for OpenID, you got to either find some new data (hopefully in this thread!) or test it yourself

> or maybe someone here can share a success story about production CAS installation running at the scale of several million identities and thousands logins per second?

This I cannot comment on, but you can always do stress test. It should be quite easy to setup a JMeter to test CAS using OpenID https://github.com/apereo/cas/blob/master/etc/loadtests/jmeter/CAS_Oauth.jmx

See if the above info helps you!

Cheers!

- Andy

David Curry

unread,

Jul 9, 2019, 9:14:43 AM7/9/19

to cas-...@apereo.org

Lafayette College provided their load testing results for CAS 5.1.x back in 2017:

https://apereo.github.io/2017/09/25/cas51-perfresults-LafayetteCollege/

The Locust configuration they used for this is available on Github:

https://github.com/cwaldbieser/locustfiles

--

DAVID A. CURRY, CISSP
DIRECTOR • INFORMATION SECURITY & PRIVACY
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david...@newschool.edu

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f493fe78-c639-4918-9c01-4d0092d539d7%40apereo.org.

Bill Thompson

unread,

Jul 9, 2019, 9:35:55 AM7/9/19

to CAS Community

There are well known large b2c deployments in telecom and gaming with scale around 20 million clients and millions of authentications every day.

This is from a 2016 survey from a 156 respondents:

Healthcare: 4 (2.8%)

Insurance: 5 (3.5%)

Government: 11 (7.5%)

Higher Ed: 109 (75.7%)

Finance: 1 (0.7%)

Travel: 1 (0.7%)

Other: 25 (17.4%)

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/21fd3ed1-d3f1-4f06-9e47-486306532703%40apereo.org.

Kaiser

unread,

Jul 9, 2019, 1:31:44 PM7/9/19

to CAS Community

Thank everyone for your replies, it was inspring!

> I am pretty sure most core component of CAS is multi-thread enabled, where do you get the info that CAS is thread-blocking all the way?

I never questioned the fact CAS is multi-threaded.

All I wanted to say that it is using the 20+ years old thread-per-request paradigm (vs asynchronous like Undertow or Spring Web Reactive), and it doesn't use any asynchronous storage features either.
That means as long as you have 1000 requests per second, you likely have 1000s of threads of your system, which causes high CPU core contention and high latencies.

> well known large b2c deployments in telecom and gaming with scale around 20 million clients and millions of authentications every day.

That's impressive enough, I assume some sort of distributed cache is used for ticket storage in this case?

Of course load tests are planned, as this is cloud-hosted and we have to be cautious with costs.

Reply all

Reply to author

Forward