Planning for ADFS Capacity

Applies To: Windows Server 2003 R2

Capacity planning for Active Directory Federation Services (ADFS) is the process of planning for growth and forecasting peak usage periods to meet specific ADFS server role and federated application requirements. It involves analyzing results from extensive performance testing to establish the ideal resource use and transaction throughput for an ADFS server role or federated application under specific load conditions.

This section describes performance and scalability guidelines for specific ADFS server roles: federation server, federation server proxy, and ADFS-enabled Web servers. These guidelines are based on lab testing that was performed by the ADFS product team at Microsoft. The purpose of this section is to help you:

• Closely estimate the hardware needs for your organization’s specific ADFS deployment.

• Get recommendations about ADFS server role and federated application capacity based on an analysis of actual test result data.

  Note

  Recommendations are identified with a Recommendations heading throughout this section so that you can quickly locate them and assess how they may affect your deployment decisions.

• Understand how capacity requirements and scaling techniques can affect peak load conditions that might be handled by specific ADFS server roles and federated applications.

• Accurately project the expected peak usage for sign-in requests, plan for growth, and ensure that your ADFS deployment is capable of handling that expected peak usage.

This section does not contain formulas for determining the minimal or optimal number of federation servers, federation server proxies, or ADFS-enabled Web servers for a specific ADFS design.

To understand the full ADFS capacity planning story, see the following topics:

• Planning for federation server capacity

• Planning for federation server proxy capacity

• Planning for ADFS-enabled Web server capacity

Terminology

The following table describes important terms that are used in this capacity planning section of the Active Directory Federation Services Design Guide.

• Account federation server
  The federation server in the account partner organization. The account federation server issues security tokens to users based on user authentication. The server authenticates the user, pulls the relevant attributes and group membership information out of the account store, and generates and signs a security token to return to the user—either to be used in its own organization or to be sent to a partner organization.

• Federated application
  An application that is ADFS-enabled, meaning that it can be accessed by federated users.

• Resource federation server
  The federation server in the resource partner organization. The resource federation server typically issues security tokens to users based on a security token that is issued by an account federation server. The server receives the security token, verifies the signature, transforms the organizational claims based on its trust policy, generates a new security token based on information in the incoming security token, and signs the new token to return to the user and ultimately to the Web application.

• Scaling out
  A design approach that adds additional servers to your deployment to more evenly distribute application processing load across multiple computers. Scaling out adds more servers in the anticipation of further growth, and it provides flexibility so that a server that participates in a Web farm can be taken offline for upgrades with relatively little impact on the cluster.

• Scaling up
  A design approach that upgrades an existing system or individual hardware components of a single system, such as CPU or memory, in your deployment. When a system reaches the maximum limit for the number of CPUs (or other hardware components) as it is scaled up, the only scaling option that remains is scaling out.

Hardware and software

This section describes the hardware and software that the ADFS product team used to perform its tests. The team used the following computer hardware and software configuration to gather performance and scalability data in tests of the federation server and ADFS-enabled Web server.

• HP Proliant DL560 G1

• Four Intel Xeon CPUs, each CPU running at 2.2 gigahertz (GHz) with hyper-threading enabled

• 4 gigabytes (GB) of memory

• Windows Server 2003 R2, Enterprise Edition

The team used the following computer hardware and software configuration to gather performance and scalability data for the federation server proxy tests.

• Dell Optiplex GX620

• One Intel Pentium 4 CPU, running at 3.4 GHz

• 2 GB of memory

• Windows Server 2003 R2, Enterprise Edition

Measuring ADFS server capacity

Typically, the hardware components that affect server performance and scalability are the CPU, memory, the disk, and network adapters. Fortunately, each of the ADFS components requires very little demand on memory and disk space. Network connectivity is an obvious requirement. Therefore, load tests that are performed on federation servers, federation server proxies, and ADFS-enabled Web servers concentrate on three primary areas for measuring server capacity:

• Sign-in requests per second: The number of sign-in requests that are processed per second on federation servers. This measurement can help you determine how many simultaneous users can sign in to a given server. You can use this measurement in conjunction with the CPU consumption measurement to understand this measurement's effect on performance.

• CPU consumption: The percentage by which CPU capacity is measured. This measurement can help you determine the overall CPU load that occurred based on the number of incoming sign-in requests per second.

• Application requests per second: The number of client requests to a federated application that are processed per second on an ADFS-enabled Web server. This measurement can help you measure the performance impact of client requests on both the federated application and the ADFS Web Agent.