Symantec IGA

 View Only

Handling search performance in Identity Portal 

Sep 03, 2018 03:45 AM

The Identity Portal searches a google like mechanism that allows free search across multiple attributes. For example, if City and Last Name are set as the searchable attributes, and the string London is entered it will locate Jack London (last name) and Jack the Ripper (city). Reaching for Jack will return nothing, since the first name was not included in the definition.

 

In some scenarios, Identity Portal searches may behave poorly, taking a long time to return a result. There are several elements that can impact the search performance that should be considered.

The search component will search all  the attributes defined in the search screen taking into account the filter definition.

Attributesfilter

The result can be a rather complex LDAP query, for example

20180822.105543.185 45.353000 SEARCH dn="dc=medtronic,dc=com" scope=subtree filter=(&(&(&(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson)(objectClass=imUser))(&(|(!(imCostCenter=res-*))(!(imCostCenter=*)))(|(imCostCenter=*fregi04*)(uid=*fregi04*)(employeeNumber=*fregi04*)(displayName=*fregi04*)(postalAddress=*fregi04*)(mail=*fregi04*))))(&(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson)(objectClass=imUser))) eis=displayName title imAdminRoles postalAddress imLocale telephoneNumber l imCostCenter  uid imManagerId employeeNumber givenName imLoginID mail roomNumber sn cn source="us[userstore-router]"

To compound this, each additional string in the search box expand the query as a Cartesian Product, reducing the search performance.

 

There are several mitigation that can be considered.

  1. The user store hosts should have enough memory to hold the entire user-store in memory.
  2. Reduce the number of searchable attribute to the minimum required to get plausible results (e.g. If you are using First name and Last Name, there is little point in using Full Name, of if the user ID is used to generate the email, one of them may be redundant)
  3. Use filters (note that complex filter will offer diminishing returns).
  4. Test different search strategies (note that this is a global configuration and will impact all searches).
  5. In the managed object setup, make sure that the attributes used in the search screens are marked as searchable (note that too many searchable attributes will offer diminishing returns)
  6. Train users on the usage of quotes and advanced filters

Statistics
0 Favorited
2 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.