Hi Marian and all others, Thank you for your input. Our main concern right now, except that we run on much smaller machines, is that the initial user import takes too long time to finish. It starts out fast and then quite soon, it runs slower and slower. Do you think it would help to radically reduce the number of hashing iterations (to, say one) during import? We force the users to change password on the first login anyway, so I guess that it would not affect security? Best regards /Daniel _______________________________________________________________________ Daniel Hammarberg Managing Delivery Architect | Application Services Capgemini Sweden | Göteborg Mob.: + 46 725 052212 www.capgemini.com _______________________________________________________________________ Connect with Capgemini: -----Original Message----- From: Rainer-Harbach Marian <marian.rainer-harbach(a)apa.at&gt; Sent: den 26 mars 2018 15:23 To: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Performance Hi Daniel, On 2018-03-26 10:03, Hammarberg, Daniel wrote: just to give you a rough idea: We are running performance tests against a small Keycloak cluster (two machines with 24 CPU cores and 12 GB RAM each). We simulate OIDC and SAML login flows using JMeter. These tests use five million test users (but there are no groups). In this scenario we achieve about 400 Logins per second or 12000 requests to the userinfo endpoint per second. We found that login performance varies greatly with the number of PBKDF2 hashing iterations used (Keycloak uses 27500 by default). Best regards, Marian ________________________________ Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini Sverige AB, a company registered in Sweden (number 556092-3053) whose registered office is at Gustavslundsvägen 131 Box 825 – S-161 24 Bromma. This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

Hi Marian, At first, we tried using the admin REST API, but as we experienced the bad performance, we turned to using the method described on http://www.keycloak.org/docs/latest/server_admin/index.html#_export_import We have tried several times to run this over night in a system without any users. It runs slower and slower. After around 35000 users it stalls more or less completely. We tried to reduce the number of hashing iterations to one, but that did not do any difference to the import performance. What database are you running? We have a SQL Server database, where the server is shared between several systems. We don't experience much load on the database though, so we have not yet suspected the database to be the problem. One interesting finding is that when we try to run the import locally on our laptops, we don't have any performance problems. In that case, we use the H2 database that comes with Keycloak. Regards /Daniel ________________________________ Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini Sverige AB, a company registered in Sweden (number 556092-3053) whose registered office is at Gustavslundsvägen 131 Box 825 – S-161 24 Bromma. This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.