Identity Infrastructure Is
Our Area Of Expertise

The subjects discussed here include technologies, standards, architecture, implementation, and applications ... a broad range, to be sure. Each area is evolving rapidly due to the dramatic increase in scope and importance of identity for services and applications. LDAP, virtual directories, federation, and SSO are now key ingredients in an IT infrastructure. The ability to get maximum performance from them is absolutely critical. We are fortunate to have a "behind-the-scenes" view, and hope the observations we share from that perspective prove useful to our readers who care about these topics.

Follow Symlabs
More Information
Blogroll
Entries By Topic
Monday
Jul062009

Virtual Directory Performance Put To The Test

DateMonday, July 6, 2009 at 04:16PM

We've made a point of mentioning performance at nearly every opportunity lately, and it's time we expand on that a bit to fill in some details. We recently completed a series of benchmark tests that pitted Symlabs Virtual Directory Server against the two other leading virtual directories in the market, and the actual measured results from that testing not only back up our claim to the title of "fastest virtual directory server", it also lets us point how just how much faster we really are. Bear in mind that our products are built on a common core engine (it's possible this may also be true for others), so while we tested Symlabs Virtual Directory Server, the inference is that Symlabs LDAP Proxy delivers similar performance (but not necessarily all the same features).

We set a design goal of superior performance from the very beginning of our work on the product, so of course we knew from development testing and customer feedback that we had top-notch speed, but we were curious (and also prompted by customers) to see the actual numbers in a head-to-head comparison. Before I discuss the results though, let me note that we readily admit a couple points to consider when reviewing them.

First, we're a vendor testing our own product against the competition - how can that be trusted? Well, we did our best to create a level playing field for all the participants just as an independent lab would do by using the latest generally available version of all products, identical hardware that is typical of a normal customer installation and specified by all vendors, and by configuring all products in the same way as much as their configurable parameters allowed. We used the SLAMD Distributed Load Generation Engine to generate increasing loads under several scenarios that are typical of actual customer deployments. SLAMD is an open, Java-based, industry standard benchmarking suite specifically designed for stress-testing LDAP directory servers and analyzing their performance. Most important, we've published full details of the test platform, the products, plus the test scenarios in our report - we encourage you to download a copy of Symlabs Virtual Directory Server Competitive Benchmarks, duplicate the tests (you can also download an evaluation copy of Symlabs Virtual Directory Server), and see for yourself.

Second, we tested without enabling cache in any of the products. Yes, it sounds suspicious because we have taken a position on caching, and you can read our earlier post Virtual Directory Servers and Cache that discusses it, but testing sans cache was not done with a bias, it is a practical necessity to be able to see raw performance. There is a detailed explanation of that in the report, but if you care to look into it further, you'll find that disabling cache is a standard practice for test environments seeking to evaluate underlying input/output speed. So, while we're sure some may complain, we're happy to defend it, and we're confident that no independent evaluation would consider results based on caching to be representative of the true raw I/O performance of the product being tested.

All that being said, here's what we found ... Symlabs Virtual Directory Server outperformed the competition, and by quite a bit on average. In some tests, the results were similar at the start with a minimal load of 10 clients, but by the time the load increased to 100 clients we were way out in front. In other tests, we started out well in front and just increased our lead throughout. Here's an example of that, showing the response time of Symlabs Virtual Directory Server versus one competitor in a straightforward test of throughput using a pass-through configuration. Symlabs is the lower line in red, and you can see that in this basic I/O test we finish with a 40% faster response time when the load becomes significant. That's a pretty meaningful advantage in a real IT environment. Against the other major competitor (not graphed), even at starting point we are well over twice as fast, and maintain that lead plus a slight increase as client loads are added.

In a more complex test scenario, where we added a load balancing function to the responsibility of each virtual directory server, the results demonstrated an even bigger advantage for the Symlabs core engine. To realize the significance of this, think about a distributed identity infrastructure with multiple directory servers, perhaps organized by division or business function. A great many medium to large enterprises have such an environment, as do others such as service providers. Load balancing can be critical for overall performance (and also for adding redundancy) in these infrastructures, and the performance of the virtual directory server while handling load balancing is the key to achieving that, so we felt it was a valid addition to our test scenarios.

You can read the rest of the details in the full report, so I won't expand on them further now - here's the link: Download Symlabs Virtual Directory Server Competitive Benchmarks

As I mentioned earlier, if you are currently planning to implement a virtual directory in your infrastructure, or if you currently have one and would like to upgrade for better performance, we encourage you to duplicate these tests for yourself. After you download the report, stay to look around the Symlabs website where you'll find a wealth of helpful information and download an evaluation copy of our product to test. Finally, since this may become the subject of further discussion for a while, you can check out the links in our blogroll to see what everyone is saying, and be sure to check back here periodically for updates.

Jeff Zukowski

AuthorJeff Zukowski | Comment4 Comments |
Tuesday
Apr282009

Next Stop - EIC 2009

DateTuesday, April 28, 2009 at 05:12PM

We're continuing our "push for performance" at the European Identity Conference (EIC 2009) which is being held at Forum am Deutschen Museum in Munich from the 5th through the 8th of May. We'll be demonstrating our new releases of Symlabs Virtual Directory Server and Symlabs LDAP Proxy in the conference exposition, as well as Symlabs Federated Identity Suite. Since we already showcased the speed and added features of our new 5.0 releases in Las Vegas last month, we'll call this their first live performance tour in Europe. And although it's not quite as new, the current version of Symlabs Federated Identity Suite continues to prove it's credentials quite capably since we rolled it out late last summer, and it has certainly earned a place on the performance podium as well.

In addition, Sampo Kellomäki, our Chief Architect, will be speaking in two panels that I'd highly encourage you to attend if at all possible. EIC is known for having world-class speakers from the ranks of enterprise technologists, thought leaders, and experts in most significant technology topics such as Identity Management and Governance, Risk Management and Compliance (GRC). It's put on by Kuppinger Cole, a highly respected analyst firm, and this year brings a very impressive list including some of the best known names in the industry and some good friends of ours - Felix Gaehtgens and Dave Kearns, just to mention a couple. The first panel Sampo is speaking in is User Centric Identity In The Cloud: Trust And Privacy, Trust Metrics on Wednesday the 6th at 16:30 following the break, part of the "Innovation" track. The second is Directory Services & Virtual Directories: Virtual Directory Services on Thursday the 7th also at 16:30 following the break, part of the "Best Practices" track. I can promise you that if Sampo has his way, the discussion will be interesting enough to keep you from dozing off after your meal. In fact, the whole agenda is full of topics that should hold your interest, but since there are four parallel streams of presentations, panels, and workshops, plus opening and closing keynotes every day it would be impossible to list them all. The full agenda is on the European Identity Conference 2009 site, so you can see it there.

In addition to the panels, presentations, and workshops, while you're at the conference I really hope you'll take the time to stop by our booth in the expo and give our team a chance to explain how you can put the performance of our products to work for you. Given the pressure of the current economy, it's more important than ever to maximize the use of your resources, and we can offer valuable suggestions on how to do that in your identity infrastructure if you'll spend a few minutes with us. Whether you are interested in virtual directory infrastructures or federated identity applications, we'll be happy to run our products through their paces for you and answer any questions you might have. See you in Munich!

Jeff Zukowski

AuthorJeff Zukowski | CommentPost a Comment |
Friday
Mar202009

Meet Us At The Experts Conference

DateFriday, March 20, 2009 at 01:40AM

The Experts Conference for Directory & Identity is coming up next week in Las Vegas, and this will give us our first chance to do trade show demonstrations of the new 5.0 release of Symlabs Virtual Directory Server and Symlabs LDAP Proxy. We announced 5.0 several weeks ago, and in case you missed it, you can read the press release: Symlabs Races Ahead of Rivals With Performance of New Products. It includes both new features and performance improvements, but we've been particularly focused on the performance of these products lately. While we've had a great deal of dialog with our client base and are extremely pleased with the results they've experienced, this is an opportunity to take the new release out "on the road" and show it off. These situations always produce interesting discussions, sometimes leading us to new ideas, and often letting us see a light bulb go on over someone's head when we can take the time to explain exactly why performance matters so much and demonstrate it live.

We've done benchmark testing that shows both Symlabs Virtual Directory Server and Symlabs LDAP Proxy to be significantly faster than competitive products, and we're currently doing some more. In the near future, we'll post the results here and provide a complete picture of how we tested and what it means in different types of implementations. That will also give us a chance to review the new features in 5.0 for Active Directory (domain routing and cross-domain authentication), LDAP (virtual tree), and all the new plug-ins plus enhancements to administration and configuration tools.

For most attendees, the biggest reason to be interested in The Experts Conference is the information that the experts will dish out there. There is a whole agenda of workshops and educational sessions, covering some of the hottest topics in the industry. Of course, there will be a number of BOFs (Birds of a Feather sessions) which usually turn into some of the most interesting discussions at technical shows. We'll be participating in both the Virtual Directories and the Federated Service BOFs, so if you would like to share your views on either subject, hear ours, and take part in the discussion that follows, please join in. The Experts Conference is running from Sunday, March 22 through Wednesday, March 25, and the official BOFs are being held Tuesday, March 24, starting at 4:30 PM. You can get see the whole agenda and get more information on the show here, then check when you get there for specific locations or any informal sessions that are announced, and be sure look us up.

AuthorJeff Zukowski | CommentPost a Comment |
Tuesday
Feb172009

Virtual Directory Servers And Cache

DateTuesday, February 17, 2009 at 09:41PM

A number of people have been expressing various opinions about the use (or, indeed, even the need) of caching in virtual directories. Most of the discussion has resulted in response to a blog posting by Ashraf Motiwal. In a recent post he asks Symlabs to come forward and provide our own impressions on the subject, and we're happy to join the discussion. In short, Symlabs believes that a cache is a tool that should be used within a virtual directory only when needed, and in general caching should be avoided where there is not a clear need for it.

The general discussion about the performance overhead that a vds layer places on top of an existing data infrastructure has been adequately addressed by Mark Wilcox in his blog post. We typically see an increase in latency of around 2 milliseconds, although this may vary to between 1 and 4 milliseconds depending on your infrastructure and the amount of processing that you are handling within your virtual directory.

Keep in mind that cache has its uses, mainly to overcome limitations of your infrastructure, but also that it is usually not the only solution available. Some potential situations include:

  • The back-end server cannot provide the requested throughput. However, this is best overcome by setting up additional replicas.
  • Latency from the back-end server is too high. This one is usually best overcome with a replica that is local to the virtual directory server.
  • The back-end server suffers from unacceptably low availability. For instance, the server might have scheduled maintenance shutdowns that render the source unavailable to client applications. This, too, is overcome with a replica.
  • Calculating the result set takes too long in the back-end server. This usually occurs as the result of a very complex SQL query that requires too many external joins. In this case, it's better to redesign your provisioning workflows.
  • The client application is brain-dead and performs the same query many times in a row - this is the only case in which I've seen true benefits from using cache in a virtual directory server.

We realize that real world environments can't always (or even often) be filled only with ideal solutions, and we've tried to account for that in the design of our products. For any of the cases above, if the client has some limitations that do not allow the preferred strategies to be employed, we provide flexible caching options in Symlabs Virtual Directory Server and Symlabs LDAP Proxy v5.0.

I hope that in everything that I have said here, I have made it clear that I do not think that a cache is the proper solution to handling performance issues. In general it should be considered more as a band-aid that can be used in a desperate situation. In this vein, I fully agree with the comments that Clayton Donley made in his blog post back in April last year.

One final note, I have to correct the math in Tim Paul's blog post. If your server does 5000 queries per second, the latency of each query is NOT 0.2 milliseconds (1/5000) - in reality you have multiple client connections being served at the same time and even multiple asynchronous requests over those connections. Modern directories have search latencies between 1 and 20 milliseconds.

Antonio Navarro

AuthorAntonio Navarro | CommentPost a Comment |
in
Thursday
Sep252008

Trust In New Mobile Applications - Part 3 (Conclusion)

DateThursday, September 25, 2008 at 03:53PM
Although we've had a bit of a gap in our thread on this topic, I'd like get back to it at last and finish it up. Working from the architecture I described in the last section, let's assume this view continues to develop, and Telcos push ahead with implementing SAML 2.0 APIs as a general rule. For ASPs, then, adopting this open security model will be both straightforward and very beneficial. They'll have plenty of options for adding the technology to their application that will allow the widest variety of ASPs to participate, no matter what underlying hardware or software they built it on. When their application needs to validate itself to the Telco network, it can use standard SAML 2.0 authentication methods to do it. When it needs information from the user's profile to incorporate into the service, it can use standard ID-WSF application queries or something more advanced such as People Service, if it's available, to obtain it securely.

The fact that SAML 2.0 and ID-WSF are open standards not only means a level playing field for all the ASPs and Telcos in terms of functionality, it also means solid security for the information under their control. But, while SAML 2.0 and the various ID-WSF protocols are the main instruments for securing identity information in this environment, the "identity-related services" that are defined in the ID-WSF model will play an important role in the big picture for mobile users.

Going forward, the applications that will be most desirable for mobile users generally need some personal and profile information to create their value, but that should not necessarily mean releasing any sensitive information. After securely validating the identity of the participants (the user, the ASP, the Telco) and their authority take part in a particular transaction at any place and time, the services in the ID-WSF model can be made available to all the participants for secure, controlled delivery of that personal information in a standardized format, while safeguarding sensitive information.

This gives ASPs and Telcos a safe, flexible, and easy way to utilize information in end-to-end services on behalf of a user. Because it's open and standardized, an ASP can develop to APIs that will work with a variety of Telco networks and Telcos can incorporate a wide range of ASPs and make their services available quickly - neither has to create special access, security, or formats to protect and exchange privileged information. In fact, using this model, the ID-WSF services that manage and deliver this information are themselves a potential market for ASPs.

While some types of information might naturally associate with a network, like user location or handset model, other types, like personal contacts and associations, are related to the user, and still others, like automobile registration are related more to an outside authority. ID-WSF is a rich environment that defines services such as geolocation, contact book, personal profile, and ID-DAP to not only objectify the information in a standard way, but also create a layer of security with access that can be granted or controlled by the appropriate authority (i.e., user, network administrator).

The end result, when developed and done properly, is the ability to create applications like Wizi, offer them in a variety of networks from a single ASP platform, and allow them to become a unique service experience in each implementation by combining other participating ASPs or features particular to that Telco. This, of course, brings us back around to the front of the discussion, and why we are so energized to work on standards activities, proofs-of-concept, and demonstrations with ASPs, Telcos, and the assortment of other companies and organizations that have similar interests. We really think this will result in some important and powerful capabilities that can dramatically change how people go about a great many of their daily activities.

Everything we learn, plus anything useful we create in these activities gets incorporated into Symlabs Federated Identity Suite. We tailor specific packages based on some of these activities, for example our IdP Telco package has everything they need to utilize the protocols, operate an Identity Provider, and connect to ID-WSF services in their network. We also offer packages designed to build and manage various ID-WSF services such as Personal Profile, Geolocation, or People Service.

I hope I have given you a enough of an overview for this exciting environment that we get watch unfolding firsthand, and are fortunate to participate in creating. In the event that you have any questions, are interested in trying Symlabs Federated Identity Suite for yourself, or have some ideas you'd like to explore, please visit our website. You can download our products, obtain more information, or contact us with your suggestions.

Pablo Sánchez

AuthorPablo Sánchez | Comment1 Comment |
in ,
Page 1 ... 2 3 4 5 6 ... 8 Next 5 Entries »