Performance of login with AA

2FA login with Advanced Authentication is quite a lengthy process. After a user has entered a username it takes 10 to 20 seconds until the selection of the chain.

Are there any ways to optimize this?

My guess is that it has to do with the number of user and/or group objects. While we tested AA with a few users we did not see any slow login performance.

Another idea is that it could be related to the version. Coincidentally at the same time when we changed from a few test accounts to productive operation with about 5000 accounts there was the upgrade to 6.4.2.

Are there any known performance losses with 6.4.2 or 6.4.3?

We have clustered AA 6.4.3 with 2 DB servers, 2 web servers  and NGINX loadbalancer.

Tags:

Parents
  • 0

    Hey. We're [  and me ] facing the same issue.

    We already have a post open about it and nothing has happened since then:

     Poor performance when login on Windows client 

    We've removed the nested groups, done everything as Support requested. Doesn't seem like I'll be changing anything in the near future. Could you please check if you have the same logs in your web server logs on the aa servers as those I posted in the linked post above?

    Best reguards,
    Jens

  • 0 in reply to 

    I have also disabled nested groups - no difference.

    I guess our logs should be quite different because we don't use client authentication but web authentication. I see the delay like this:

    Preamble: [OIDP TOP]
    Txn: Q1C0RoxSYdzBV-4b6XA
    Priority Level: FINER
    Java: internal.osp.oidp.aa.rest.NaafRestRequest.issueRequestWithRetry() [536] thread=http-nio-0.0.0.0-1009-exec-1
    Elapsed time: 20.20 seconds
    Time: 2024-06-11T10:33:46.098+0000
    Log Data: Issue GET to http://127.0.0.1:6001/api/v1/users?user_name=CIT%5Cmguldner&attributes[..]

    Up to 20 Seconds while AA searches the repo for the username - and sometimes it gives up, probably 20+ seconds is a timeout:

    Preamble: [OIDP TOP]
    Txn: Q1C0RoCxpSsdYdzBV-4b6XA
    Priority Level: FINE
    Java: internal.osp.oidp.aa.NaafSource.searchImpl() [1479] thread=http-nio-0.0.0.0-1009-exec-18
    Time: 2024-06-11T10:58:22.399+0000
    Log Data: Error contacting Advanced Authentication server while searching: internal.atlaslite.jcce.exception.CoreCommunicationException: Error communicating with AA server during user lookup.
             =>java.net.SocketTimeoutException: Read timed out
          internal.osp.oidp.aa.NaafSource: NaafSource.java: findUserEx: 2,592
          internal.osp.oidp.aa.NaafSource: NaafSource.java: searchImpl: 1,451
          internal.osp.oidp.service.source.data.DataSourceHasSearchImpl: DataSourceHasSearchImpl.java: search: 133

Reply
  • 0 in reply to 

    I have also disabled nested groups - no difference.

    I guess our logs should be quite different because we don't use client authentication but web authentication. I see the delay like this:

    Preamble: [OIDP TOP]
    Txn: Q1C0RoxSYdzBV-4b6XA
    Priority Level: FINER
    Java: internal.osp.oidp.aa.rest.NaafRestRequest.issueRequestWithRetry() [536] thread=http-nio-0.0.0.0-1009-exec-1
    Elapsed time: 20.20 seconds
    Time: 2024-06-11T10:33:46.098+0000
    Log Data: Issue GET to http://127.0.0.1:6001/api/v1/users?user_name=CIT%5Cmguldner&attributes[..]

    Up to 20 Seconds while AA searches the repo for the username - and sometimes it gives up, probably 20+ seconds is a timeout:

    Preamble: [OIDP TOP]
    Txn: Q1C0RoCxpSsdYdzBV-4b6XA
    Priority Level: FINE
    Java: internal.osp.oidp.aa.NaafSource.searchImpl() [1479] thread=http-nio-0.0.0.0-1009-exec-18
    Time: 2024-06-11T10:58:22.399+0000
    Log Data: Error contacting Advanced Authentication server while searching: internal.atlaslite.jcce.exception.CoreCommunicationException: Error communicating with AA server during user lookup.
             =>java.net.SocketTimeoutException: Read timed out
          internal.osp.oidp.aa.NaafSource: NaafSource.java: findUserEx: 2,592
          internal.osp.oidp.aa.NaafSource: NaafSource.java: searchImpl: 1,451
          internal.osp.oidp.service.source.data.DataSourceHasSearchImpl: DataSourceHasSearchImpl.java: search: 133

Children