[keycloak-user] Performance

Hammarberg, Daniel daniel.hammarberg at capgemini.com
Tue Mar 27 03:57:38 EDT 2018


Hi Marian and all others,

Thank you for your input. Our main concern right now, except that we run on much smaller machines, is that the initial user import takes too long time to finish. It starts out fast and then quite soon, it runs slower and slower. Do you think it would help to radically reduce the number of hashing iterations (to, say one) during import? We force the users to change password on the first login anyway, so I guess that it would not affect security?

Best regards
/Daniel

_______________________________________________________________________
Daniel Hammarberg
Managing Delivery Architect | Application Services

Capgemini Sweden | Göteborg
Mob.: + 46 725 052212
www.capgemini.com
_______________________________________________________________________
Connect with Capgemini:



-----Original Message-----
From: Rainer-Harbach Marian <marian.rainer-harbach at apa.at>
Sent: den 26 mars 2018 15:23
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Performance

Hi Daniel,

On 2018-03-26 10:03, Hammarberg, Daniel wrote:
> In our currently running project, we are moving to Keycloak as SSO for a few sites with about 180000 active users, a large hierarchy of groups and peaks with thousands of calls per second. We are starting to get a feeling that Keycloak cannot handle such a large amount of data and traffic. Is there any documentation anywhere on server sizing and expected performance for large sites? Has anyone run peak tests and endurance tests on Keycloak and in that case, what was the outcome? Does anyone have experience in using Keycloak for sites of this size?
just to give you a rough idea: We are running performance tests against
a small Keycloak cluster (two machines with 24 CPU cores and 12 GB RAM
each). We simulate OIDC and SAML login flows using JMeter. These tests
use five million test users (but there are no groups).

In this scenario we achieve about 400 Logins per second or 12000
requests to the userinfo endpoint per second.

We found that login performance varies greatly with the number of PBKDF2
hashing iterations used (Keycloak uses 27500 by default).

Best regards,
Marian


________________________________

Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini Sverige AB, a company registered in Sweden (number 556092-3053) whose registered office is at Gustavslundsvägen 131 Box 825 – S-161 24 Bromma.
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.



More information about the keycloak-user mailing list