Caching
7 views
Skip to first unread message
Roland Hedberg
Apr 21, 2020, 2:35:08 PM4/21/20
to openid-feder...@googlegroups.com
Hi!
Jouke started this with a question to me about caching.
So I made the following thought experiment:
Assume that no one is doing any caching of entity statements and that client registrations are only valid for one query.
That would lead to the federation root being hit with 2 queries per authorization request.
This is a worst case scenario.
Now, what would that mean in reality ?
I asked for and got access to information gathered from entities in the SWAMID SAML2 federation.
The information I got was authorization queries with timestamps and information on from which SP to which IDP.
I don’t know if I got information from all entities but that doesn’t matter.
The total number of queries in 2019 was close to 80 millions. Max for a day was ~540000
If we just use this number on an OIDC federation, the federation root would get
~12.5 queries/second (if the queries are spread evenly over the day, which of course they ain’t).
So we then made the assumption that the root cached information which gave this information per day:
Cache misses (15 min caching) : 4063
Cache misses (30 min caching) : 2187
Cache misses (60 min caching) : 1162
Nothing that any reasonably implemented entity will choke on :-)
SWAMID is a small federation, it would be interesting to do the same exercise for a bigger federation
like the UK one or Internet2.
It might be possible to get information from FEIDE (Norway), WAYF (Denmark), SURFConnext (The Netherlands) since
all of them are hub-and-spoke.
— Roland
Jouke started this with a question to me about caching.
So I made the following thought experiment:
Assume that no one is doing any caching of entity statements and that client registrations are only valid for one query.
That would lead to the federation root being hit with 2 queries per authorization request.
This is a worst case scenario.
Now, what would that mean in reality ?
I asked for and got access to information gathered from entities in the SWAMID SAML2 federation.
The information I got was authorization queries with timestamps and information on from which SP to which IDP.
I don’t know if I got information from all entities but that doesn’t matter.
The total number of queries in 2019 was close to 80 millions. Max for a day was ~540000
If we just use this number on an OIDC federation, the federation root would get
~12.5 queries/second (if the queries are spread evenly over the day, which of course they ain’t).
So we then made the assumption that the root cached information which gave this information per day:
Cache misses (15 min caching) : 4063
Cache misses (30 min caching) : 2187
Cache misses (60 min caching) : 1162
Nothing that any reasonably implemented entity will choke on :-)
SWAMID is a small federation, it would be interesting to do the same exercise for a bigger federation
like the UK one or Internet2.
It might be possible to get information from FEIDE (Norway), WAYF (Denmark), SURFConnext (The Netherlands) since
all of them are hub-and-spoke.
— Roland
Vladimir Dzhuvinov
Apr 21, 2020, 2:55:49 PM4/21/20
to openid-feder...@googlegroups.com
Thanks Roland, that's good info to gauge potential load in practice.
We decided to add caching support in the SDK for stmts in resolved trust
chains for two reasons:
- to allow requests to go through in case of intermittent network outage
of the anchor or intermediates
- to make client operation more responsive
For more complex feds we even made it possible during resolution to
ignore network exceptions while there is still a possibility to obtain a
complete valid trust chain.
Hope we didn't over engineer :)
Vladimir
--
Vladimir Dzhuvinov
We decided to add caching support in the SDK for stmts in resolved trust
chains for two reasons:
- to allow requests to go through in case of intermittent network outage
of the anchor or intermediates
- to make client operation more responsive
For more complex feds we even made it possible during resolution to
ignore network exceptions while there is still a possibility to obtain a
complete valid trust chain.
Hope we didn't over engineer :)
Vladimir
Vladimir Dzhuvinov
Jouke Roorda
Apr 21, 2020, 4:37:47 PM4/21/20
to openid-feder...@googlegroups.com
Hi all,
SURF has actually put some numbers online:
https://www.surf.nl/files/2020-02/surf-conext-cijfers-2019-engelsv2.pdf
157.000.000 logins (5.250.000 daily peak, 2 sept was the first day of
the academic year), of which I would presume 80%+ happens during
business hours. That would mean close to 150+/second.
On the MDSS side, I was thinking on using nginx caching for now for the
IGTF instance as that's used as reverse proxy anyway.
However, if you think about it, you could even go as far as to generate
statements offline and push them to some CDN. This would also mean your
signing process is not affected by load.
On the chain verification side I was thinking about doing Java caching,
but no concrete plans there yet.
Jouke Roorda | Software Engineer @ Nikhef
Computer Technology / Physics Data Processing
SURF has actually put some numbers online:
https://www.surf.nl/files/2020-02/surf-conext-cijfers-2019-engelsv2.pdf
157.000.000 logins (5.250.000 daily peak, 2 sept was the first day of
the academic year), of which I would presume 80%+ happens during
business hours. That would mean close to 150+/second.
On the MDSS side, I was thinking on using nginx caching for now for the
IGTF instance as that's used as reverse proxy anyway.
However, if you think about it, you could even go as far as to generate
statements offline and push them to some CDN. This would also mean your
signing process is not affected by load.
On the chain verification side I was thinking about doing Java caching,
but no concrete plans there yet.
Computer Technology / Physics Data Processing
Reply all
Reply to author
Forward
0 new messages