The reliability of all applications depends on the faultless operation of the authentication server. Non-functional characteristics i.e. performance, scalability, fault tolerance and recovery from failures are especially important.
For the authentication system there can be peak hours when too many users enter the applications simultaneously. This can happen once a day or even once a year. It is important that the authentication system copes well with this peak load, even if the peak load lasts a long time.
Increasing the load on the system leads to an increase in the response time in the processing of the request. It is important that the processing time of each of the requests remains short even at times of peak load, so that the total duration of the login procedure does not exceed 1-1.5 seconds, that is considered user-friendly. A typical process of logging in to the application on average requires about 3-4 requests:
- The application accesses the authentication server with a request for user identification. The server displays the login page to the user
- Browser sends the authentication data to the server for verification. The server checks the data and, through the browser, returns the result to the application in the form of an intermediate security token (authorization code)
- The application interacts with the authentication server to exchange the security tokens with other tokens (access token, identification token)
- The application interacts with the authentication server to obtain user attributes
The measured response times has a distribution. To assess the response time in general, you can use such indicators as:
- Average response time – the arithmetic mean for all requests
- The 95th percentile is the time of 95% of the fastest queries fulfilled
- The 99th percentile is the time of 1% of the slowest queries
Good response rates can be considered within 200-300 ms for each request. Then the time of the whole authentication process will fit into comfortable for the user 1-1,5 seconds.
With the load testing of the Blitz Identity Provider installed on two servers with a 2 Core configuration, 2 Gb RAM, the following metrics were obtained:
A good load test should include checking the performance for an extended period that simulates the day cycle of the system. This makes it possible to verify that the performance does not degrade under long-term load, and that the authentication system adapts well to the rise and fall of the load. In the testing process, both the response time and the number of system failures in the request processing are evaluated.
You can see the report on the load test of the authentication server Blitz Identity Provider.
Below is a graph of the duration of execution of one request depending on the load. The Blitz Identity Provider was installed on two servers with a 2 Core configuration, 2 Gb RAM: