Is Your IAM Vendor Keeping up with the Cloud?

The ForgeRock Identity and Access Management  Platform can be deployed in many different cloud services like AWSGoogle, Azure, and even in Alibaba Cloud very recently by a partner. Being able to support a cloud deployment model is one thing, but keeping up with the changes in the cloud at the pace they are happening is where ForgeRock excels. This is accomplished not only by testing and updating our cloud deployment model with best practices and recommendations with every release of our platform, but also testing and improving on it based on the changing security landscape or adding new capabilities based on customer requirements.

I had one such opportunity recently where a prospective customer in the financial services industry wanted to deploy the ForgeRock platform in AWS and test out its scalability for their stringent security requirements as well as business and development needs. The industry and nature of their end users is such that their applications would see heavy usage during tax season.

The main IAM platform requirements this company had include:

  • Deploying in Amazon Elastic Kubernetes Service (EKS) to enable their DevOps CI/CD pipeline

  • 10,000 transactions/second with less than 100ms response time for 95th percentile of calls

  • A replication delay of less than one second between token stores

  • 10 million users in the user store with 150,000 concurrent users

In addition to the requirements above, they also needed a custom pair of authentication trees with their own nodes built with assistance from the ForgeRock team and a mix load of tests representative of their expected production environment. The authentication trees combined Intelligent Authentication with “step up” authorization, one generating an OTP for multifactor authentication and another simulating a call out to an external fraud engine. They were implemented as two separate trees to verify the performance of both functions independently.

Cloud Deployment in Action

To address these requirements, I started with the standard ForgeRock Cloud Deployment Model guide and picked the large cluster size for Amazon EKS because of the throughput requirements (even though we would consider 10,000,000 users a medium cluster deployment). After the 5 minute ForgeRock cloud deployment was done, off I went to make additional changes. This included changing ELB to ALB to meet the new security requirements and configuring the ALB appropriately. The resulting deployment looked something like this: 

Modern IAM Scales Image.png

Cloud Deployment Results

After that little bit of work, what did we actually get?

  • Over 60,000 transactions per second with a 53ms response time for 95th percentile of calls

  • Replication delay of 22-34 milliseconds between token stores

  • 150,000 concurrent users simulated successfully with 95th percentile of response times less than 100ms in all tests

We met and exceeded all our intended target performance metrics with a good margin to spare!

This meant that our prospective  customer can now successfully go back to their business owners and tell them:

  • They can handle peak production loads during tax season without any issues

  • The ForgeRock Platform will scale to meet their future business growth projections

  • They can meet the strict security requirements even when running in AWS

  • They can leverage our Trust Network to add new capabilities quickly

  • They can add new capabilities that their business needs continuously with CI/CD

Lessons Learned

  • Performance results for ALB or ELB are very similar, so based on your security and business requirements, you can choose either

  • Using a “Large” sized cluster with 10M accounts rather than 100M produced better performance numbers than the "official" performance results because more memory to Directory Services allows for more caching

Now we have all the artifacts that any customer can use to run in AWS to support 60,000 transactions/second in under 5 minutes.

Interested in more? Read this detailed guide that goes through the steps. Install ForgeRock in the cloud of your choice in under 5 minutes and run! 

Need more help? Please feel free to reach out to our experts.

Who Is James Billingham?

Who's James? James is a Performance Architect, with 20 years of experience in J2EE, IT Architecture and performance at ForgeRock, OpenBet and IBM. He likes to work with customers to understand their business requirements, design architectures to meet them, test to verify them, and works to continually improve the performance of ForgeRock’s Platform. In his free time, he tries to improve his tennis skills and running performance, with less success.

Recent Posts:

Prevent Data Breaches: Making Sure The Algorithms Work

An identity platform like ForgeRock is the backbone of an enterprise, with a view of all apps, identities, devices, and resources attempting to connect with each other. This is a very nice position to gather rich log identity data to use to prevent data breaches.

Is Your IAM Vendor Keeping up with the Cloud?

The ForgeRock Identity and Access Management  Platform can be deployed in many different cloud services like AWSGoogle, Azure, and even in 

IoT Edge Controller: Trusted Identity at the Device Level

On Tuesday, ForgeRock announced  the availability of its IoT Edge Controller, which provides consumer and industrial organizations with the ability t