Hi Mike,
> On 03 Apr 2015, at 19:34 pm, Mike Grady <
mapg...@gmail.com> wrote:
> I found the performance results for SimpleSAML that UNINETT did in 2008. Simple searching didn't turn up much else. But would using APC, which appeared to make a big difference in that 2008 testing, be a general recommendation? Any other general recommendations/tips to maximize performance?
Well, that is ancient and quite outdated now. But you already know that, of course.
I don’t know if there’s any other assessment on SSP’s performance more up to date than that. What I can do is to give you a hint on what we do in Feide, just in case that helps you.
We use SimpleSAMLphp with a custom authentication source as the unique identity provider in the federation, and that’s connected to the different LDAP backends of the institutions in Norway. Last year we got more than 75M authentications. This year, we’ve seen already days with more than .5M authentications. We’ve also observed peaks of 80 logins per second. It’s definitely not something very big, but quite good for a single identity provider, I think.
The infrastructure running this is relatively simple. We have four servers in production, each of them running SSP on their own. Two load balancers in front of them, and another two load-balanced memcache backend servers behind, holding session data and consent. Requests can be directed to any of the production servers, which will then gather session information from the backend. We also have a couple more servers as backup, with their own load balancers in front, which we use when we detect a problem in the production infrastructure or when we do some maintenance work. Switchover is performed by means of DNS.
We never had performance problems with this infrastructure and our current volume of use. We’ve done some performance tests before, stopping, if I recall correctly, at 10K authentications per minute. By coincidence, this saturday we’ll be running some more performance tests, this time looking for the real bottleneck of the infrastructure and trying to choke it. I can share with you the conclusions, if you are interested.
So my advice is:
- Prefork helps. There’s people who have a good experience with nginx, but I'm also aware of some problems with it.
- Avoid external connections as much as possible. If you really need to use a backend for sessions or something else, go for something really fast like memcache or others.
- If you have external sources of metadata, do caching. Aggressively. If possible, cache directly in memory. You could use tmpfs for that.
- If possible, distribute load across different servers.
- Use load balancers.
- Reduce the amount of things running in the servers. If you have a box for SSP on its own (either physical or virtual), that’s much better.
- Do not run expensive, periodic operations on the servers, as metadata refreshing. Specially if you manage huge metadata feeds as eduGAIN’s or UK fed’s. Use a dedicated machine for that, then synchronize metadata by other means (git, svn, rsync, your favourite choice here).
- Set reasonable timeouts for keep alive connections. If you are using load balancers, it might be wise to have connections always opened with your load balancers, so that you can avoid the maximum connections limit and share the resources optimally.
- Set a reasonable limit to the amount of processes apache is using. It doesn’t really help to allow more processes if you run out of memory. As soon as your server starts caching to disk, performance will degrade significantly (unless you are using ultrafast, SSD disks).
Hope that helps :-)
--
Jaime Pérez
UNINETT / Feide
mail:
jaime...@uninett.no
xmpp:
ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost