Enhancing SCIM group and user API performance

Enhanced SCIM group API performance

From foundational services version 3.19 and later, the LDAP search is enhanced. Now, by default, foundational services supports the LDAP query filter size limit to up to 5000. With the LDAP query filter size enhancement, the group API performance has also enhanced because the bulk of group members can be searched in a single LDAP search. If there are huge number of members in a group, it is advised to increase the LDAP query filter size limit to at least 5000 for the configured LDAP to get the benefit from the enhanced performance of the group API calls.

Follow the tuning guidelines for the CPU and memory for the following observations, if you have large number of members in a group:

Note: The provided values in the following observations and tuning guidelines are the estimated values. These values might also depend on the other environmental factors such as, overall load, cluster health, network, etc.

• A Group of approximately 21k members with concurrent access to 10 users, requires around 1500m of CPU and 1500Mi of memory, and 1 replica for the small profile.

• If the number of concurrent access increases, you need to increase the number of replicas as well. For example, the same 21k members for concurrent access to 20 users, require around 3 replicas with the 1500m of CPU & 1500Mi of memory for the small profile.

• If you have more members in the group, use the large profile instead of the small profile. For example,the large profile for a group of 87K members with the concurrent access to 10 users, needs around 3 replicas with 2550m of CPU and 2850Mi of memory.

Enhanced SCIM user API performance

From foundational services version 3.20 and later, IAM has introduced the following configuration parameters to improve the performance of the SCIM users search API:

• SCIM_AUTH_CACHE_MAX_SIZE: It indicates the maximum number of tokens that are stored in the cache. The default value is 1000. If you have multiple concurrent calls, it is recommended to tune this value.

• SCIM_AUTH_CACHE_TTL_VALUE: It indicates the TTL value in second of each token that is stored in the cache. The default value is 60 seconds. If you have a long running process that simultaneously calls SCIM API for more than 60 seconds, it is recommended to tune this value.

These SCIM configured parameters improve the overall response time to avoid the repeated authorization calls.

Changing the configured SCIM attributes by using the console

1. Log in to the Red Hat® OpenShift® Container Platform console as a user with cluster administrator access.
2. From the navigation menu, click Workloads > Config Maps.
3. Search for platform-auth-idp.
4. Click ... > Edit Config Map.

5. Change the following attribute values to true, as required:

   • SCIM_AUTH_CACHE_MAX_SIZE

   • SCIM_AUTH_CACHE_TTL_VALUE

6. Click Save.

7. From the navigation menu, click Workloads > Deployments.

8. Locate auth-idp.

9. Click ... > Edit Deployment. A window for editing displays.

10. Click Save without making any change. This step is to reload the auth-idp pods with the latest ConfigMap values.

11. Click auth-idp.

12. Wait for some time. Then, check the status of the auth-idp pods in the Pods pane. The status of all the pods must show as 4/4 under the Ready field name.

Changing the configured SCIM attributes by using CLI

1. Log in to your infrastructure node by using the oc login command.

2. Edit the platform-auth-idp configmap.

   oc -n ibm-common-services edit configmap platform-auth-idp
   

3. Change the following SCIM configured attributes parameter to a higher value:

   • SCIM_AUTH_CACHE_MAX_SIZE
   • SCIM_AUTH_CACHE_TTL_VALUE

4. Save the changes.

5. Restart the auth-idp pods by deleting the pods.

   1. Get the auth-idp pod names.

      oc -n ibm-common-services get pods | grep auth-idp
      

   2. Delete the auth-idp pod.

      oc -n ibm-common-services delete pods <pod-name>
      

Wait for some time and then check the status of the auth-idp pods. The status of all auth-idp pods must show as Running.

oc -n ibm-common-services get pods | grep auth-idp

Custom Group filter support in SCIM User API

From foundational services version 3.22 and later, the LDAP Group filter value is supported when you query for a group of SCIM user.

For example: User1 is part of four groups - icptest1, icptest2, isvtest1 and isvtest2 and you set this value "(&(cn=%v)(cn=*icptest*)(objectclass=person))" in the LDAP Group filter while creating the LDAP connection. When you query the User1 through the SCIM API, the User1 will only have icptest1 and icptest2 groups in the group section of the SCIM response.