Skip to main content

Skillber v1.0 is here!

Learn more

Performance & Scalability

Checking access...

IAM and PAM systems must handle authentication traffic that is both high-volume and bursty (Monday morning logins, incident-driven privilege elevation). Performance engineering ensures that authentication latency remains acceptable under peak load and that the platform can scale to meet growing demand.

Performance Dimensions

DimensionMetricTargetImpact of Degradation
Authentication latencyTime to complete login (IdP)< 1 second (with MFA: < 3 seconds)User frustration, app timeouts
Token issuanceTokens per secondSustained peak × 1.5 bufferApp access failures, login failures
Directory lookupLDAP search response time< 50ms average, < 200ms p99Auth latency, authorisation latency
PAM session initiationTime to establish proxied session< 5 secondsAdmin productivity loss
Session recording ingestWrite throughput to recording storage> 2x peak concurrent recording bitrateLost recordings, compliance gaps
Provisioning throughputUser account operations per minutePeak new-hire day × 2 bufferDelayed access, productivity loss
API response timeREST API request duration< 500ms average, < 2s p99Slow UIs, automation timeouts

Authentication Performance

Factors Affecting Auth Performance

FactorImpactMitigation
Directory lookup latencyHigh — each auth event may require 1-5 directory lookupsDirectory performance tuning, caching, read replicas
MFA latencyMedium-High — push notifications, SMS delivery, TOTP validationPush notification optimisation, pre-warming MFA channels
Token signingLow-Medium — cryptographic operationHSM acceleration, token caching (where safe)
Network round tripMedium — user to IdP, IdP to directoryCDN for IdP endpoints, regional IdP deployment
Session store accessMedium — session lookup on each requestDistributed cache (Redis), session affinity
Policy evaluationMedium — ABAC policy evaluationPolicy engine performance, rule indexing

Authentication Throughput Scaling

Auth Requests per Second
^
│ ┌──────┐
│ │ │ ┌──────┐
400 │ │ │ │ │
│ │ │ ┌───┤ │
300 │ │ │ │ │ │
│ │ │ │ │ │
200 │ ┌────┤ │ │ │ │
│ │ │ │ │ │ │
100 │ │ │ │ │ │ │
│ │ │ │ │ │ │
0 └───┴────┴──────┴─────┴───┴──────┴──> Time
Mon Tue Wed Thu Fri
(Peak: Monday morning login surge)

Scaling Approach

Scaling MethodApproachEffectivenessTime to Deploy
Horizontal (IdP nodes)Add more IdP instances behind LBLinear scale (with stateless design)Minutes (auto-scaling)
Vertical (IdP instance)Larger instance sizeDiminishing returns after 8 coresMinutes (restart)
Directory read replicasAdd domain controllers / LDAP replicasNear-linear for read-heavy auth workloadsHours to days
Cache replicaAdd Redis cluster nodesSignificant for session-intensive workloadsMinutes
Global distributionRegional IdP deploymentsEliminates cross-region latency, improves geo-redundancyWeeks to months

Directory Performance

LDAP Directory Performance Tuning

AreaTuning ParameterDefaultRecommendedImpact
IndexingSearch attributes indexedMinimal (pre-created)Index all filter attributes10-100x search improvement
Connection poolingConnections per application serverVaries by platform10-50 per app server5-10x auth throughput increase
Cache sizeEntry cache percentageDefault (varies)50%+ of total directory2-5x read performance
Thread poolWorker threads per CPUDefault (varies)10-50 per CPU core2-3x concurrent op throughput
Page sizeSearch result page size100 (varies)1000Fewer round trips for bulk ops
Referral chasingClient vs. server chaseServer (varies)Client-disableReduces server overhead for simple lookups

Active Directory Performance

MetricHealthy ThresholdWarningCritical
LDAP bind latency< 10ms> 50ms> 200ms
LDAP search time< 50ms> 200ms> 500ms
Replication latency< 15 seconds> 5 minutes> 15 minutes
CPU utilisation (DC)< 40%> 60%> 80%
Memory utilisation< 60%> 75%> 90%
Disk queue length< 1> 3> 5
Authentication rate< 50% of capacity> 75% of capacity> 90% of capacity

PAM Session Recording Storage

Storage Requirements

Session TypeBitrateStorage/HourStorage/8-Hour WorkdayMonthly (50 admins)
Text/SSH session~1 KB/s~3.6 MB~28.8 MB~3.6 GB
RDP session (low quality)~100 KB/s~360 MB~2.9 GB~360 GB
RDP session (medium)~500 KB/s~1.8 GB~14.4 GB~1.8 TB
RDP session (high quality)~2 MB/s~7.2 GB~57.6 GB~7.2 TB
Screen recording (video)~1-5 MB/s~3.6-18 GB~28.8-144 GB~3.6-18 TB

Tip

PAM session recording storage grows faster than most organisations expect. A medium-sized deployment (50 admins, RDP medium quality) generates ~1.8 TB per month. Plan for compression (typically 5:1 to 20:1 for RDP), retention policies aligned with compliance requirements, and tiered storage (fast SSD for recent recordings, S3/object storage for archival). Implement lifecycle policies to move recordings to cheaper storage tiers after 30-90 days.

Caching Strategy

What to Cache

Cache TargetCache TypeTTLCache Hit Ratio TargetInvalidation Strategy
Authentication sessionsDistributed (Redis)Session durationN/A (session data)Session expiry, admin revoke
Directory search resultsLocal (in-memory)30-300 seconds80%+TTL expiry
Group membershipDistributed (Redis)60-300 seconds90%+TTL + directory change notification
Role assignmentsDistributed (Redis)300 seconds95%+TTL + IGA change event
Policy evaluation resultsLocal (in-memory)60-600 seconds85%+TTL + policy version check
Public key / JWKSLocal (in-memory)24 hours (until rotation)99%+Certificate rotation triggered
MFA trust decisionsLocal (cookie)1-14 daysN/ADevice cookie expiration

Cache Architecture

┌─────────────────────────────────────────────────────────┐
│ APPLICATION INSTANCE │
│ │
│ ┌─────────────────────┐ ┌──────────────────────┐ │
│ │ Local Cache (L1) │ │ Distributed Cache │ │
│ │ (In-process: expiring│ │ (Redis cluster) │ │
│ │ group, role, policy) │ │ Sessions, tokens │ │
│ │ TTL: 30-600s │ │ Persistent + TTL │ │
│ └─────────────────────┘ └──────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────┘
│ │
│ │
v v
┌─────────────────┐ ┌─────────────────┐
│ Directory │ │ Redis Cluster │
│ (Authoritative) │ │ (Sharded + Repl)│
└─────────────────┘ └─────────────────┘

Load Testing

Load Test Plan

Test ScenarioDescriptionTarget MetricSuccess Criteria
Peak authenticationSimulate Monday morning login surgeAuth requests per secondp99 latency < 2s, zero errors
Steady stateNormal business hours loadSustained throughputp50 latency < 500ms, p99 < 2s
BurstSudden spike (incident, power restoration)Max sustained throughputRecover within 30s, no cascading failure
MFA surgeAll users required MFA simultaneouslyMFA throughputp99 < 5s, push delivery within 2s
Provisioning peakNew hire batch (first day of month)Accounts created per minuteAll accounts created within 1 hour
Directory searchConcurrent LDAP searchesSearches per secondp99 search time < 200ms
PAM session rushConcurrent session startsSessions per secondAll sessions established within 5s

Load Testing Tools

ToolProtocol SupportBest ForNotes
JMeterHTTP, LDAP, JDBC, customIdP API, authentication flowsExtensive plugin ecosystem
k6HTTP, gRPCModern API testing, CI/CD integrationJavaScript-based scripting
LocustHTTP, customPython-based, distributedGood for complex auth flows
GatlingHTTP, JMSHigh-performance simulationScala/Java-based
VegetaHTTPSimple, high-throughput HTTP testingCommand-line focused

Capacity Planning

Capacity Planning Formula

Required capacity = (Peak concurrent users × Auth rate per user) × Growth factor × Buffer
Where:
- Peak concurrent users = Total users × % peak concurrency
- Auth rate per user = Average auth events per user per hour / 3600
- Growth factor = Projected user growth over planning horizon (typically 12-24 months)
- Buffer = 1.5 (50% headroom for unexpected spikes)

Example Capacity Calculation

VariableValueSource
Total users50,000HRIS headcount
Peak concurrency30%Historical Monday peak
Auth rate per user2/hourAverage SSO app usage
Peak auths per second50,000 × 0.3 × 2 / 3600 = 8.3Calculation
Growth factor (24 months)1.2 (20% growth)Business plan
Buffer1.5Standard headroom
Required capacity8.3 × 1.2 × 1.5 = ~15 auths/secFinal target

Capacity Monitoring Thresholds

MetricWarning (Alert)Critical (Auto-scale)Action
IdP CPU> 60%> 80%Add IdP nodes
IdP memory> 70%> 85%Add IdP nodes
Directory CPU> 50%> 75%Add directory replicas
Redis memory> 70%> 85%Add Redis replicas
Session recording storage> 70% capacity> 85% capacityAdd storage, review retention
Authentication latency (p99)> 2s> 5sScale out IdP, check directory
API response time (p99)> 2s> 5sScale out API tier

Key Takeaways

  • IAM/PAM performance has six critical dimensions: authentication latency (< 1s without MFA, < 3s with MFA), token issuance rate, directory lookup speed (< 50ms average), PAM session initiation (< 5s), session recording ingest, and provisioning throughput
  • Authentication performance is affected by directory latency, MFA latency, token signing, network round trips, session store access, and policy evaluation — horizontal scaling of stateless IdP nodes is the most effective scalability approach
  • Directory performance tuning requires proper indexing of search attributes, connection pooling (10-50 per app server), entry cache sizing (50%+ of directory data), thread pool tuning, and page size configuration (1000)
  • PAM session recording storage grows faster than expected — a 50-admin RDP deployment generates ~1.8 TB/month — plan for compression, retention policies, and tiered storage with lifecycle transitions
  • Caching strategy has four layers: local (in-process, short TTL for groups/roles/policies), distributed (Redis for sessions/tokens), read replicas (directory lookups), and CDN (static IdP metadata, JWKS) — each layer has specific TTL and invalidation requirements
  • Capacity planning follows the formula: Peak concurrent users × Auth rate per user × Growth factor × Buffer (1.5x) — monitor CPU (>60% warning, >80% auto-scale), memory, directory load, Redis memory, storage, and latency at p99 to trigger scaling actions
  • Load testing must cover peak, steady state, burst, MFA surge, provisioning peak, directory search, and PAM session rush scenarios — use tools like JMeter, k6, Locust, Gatling, or Vegeta depending on protocol and scripting requirements