Single sign-on or SSO enabled applications were introduced to provide more security and ease of use to the end-users. Enabling SSO also needs an evaluation of application performance. This ensures the performance is not hampered during authentication.
In this edition, we will discuss how to test the performance of SSO enabled applications.
Global Market Trend for SSO Application
Single sign-on or SSO enabled applications are expected to grow with the Compound Annual Growth Rate (CAGR) by 12.0% between 2020 and 2027. The market size value in 2020 was $0.94 Billion, which may rise up to $2.13 Billion in 2027.
Source: Orion Market Reports
Performance Testing For Apps With and Without SSO
|Parameter||Application Without SSO||Application With SSO|
Only application-level authentication needs to be handled in the scripting.
Both application and IdP level authentication need to be handled in scripting.
Login request may or may not be load tested.
Login request requires load testing.
Only application and database server-level monitoring is required.
All systems involved in SSO should be monitored along with app and DB servers.
Performance Script Development and Execution Workflow
Areas to Monitor During Performance Testing
- Authentication token generation, availability, and refresh time.
- SSO traffic such as redirect URLs and user request attributes.
- GET/POST web services requests to SSO/IdP server.
- Third-party APIs using scripts (synthetic monitoring).
- Script development is complex due to additional requests (Service Provider and IdP request/response) and SAML token.
- Difficult to find the root cause of login failures.
- Assessing slow response time factors like network latency and application/server wait times.
- Automatically redirect all requests to handle multiple redirects due to request passing to IdPs.
- For running specific SSO test cases, enable the login script followed by a scenario script to check the impact of SSO for each use case.
- Use Cookie Manager Configuration to manage cookies.
- While running the performance scripts, monitor resources on service provider & IdP servers.
- Use a reliable extractor option (like regular expression, CSS extractor, and XPath extractor) for handling dynamic SAML tokens.
- Choose a high-performance SSO protocol.
- Manage the cache and set appropriate refresh times.
Important Load Testing Scenarios
Check the performance with and without SSO.
Load test all business-critical scenarios after SSO implementation.
Test users with different access and privileges.
Test the application for forced sign-in.
As SSO enabled applications provide an extra layer of security, it is important to load test the application before and after enabling SSO to make sure your application maintains your predefined performance benchmarks.
We would love to hear your feedback, questions, comments and suggestions. This will help us to make us better and more useful next time.
Share your thoughts and ideas at firstname.lastname@example.org