OpenSAML user discussion

["Scott Cantor" <>]

> I have been using opensaml and was not signing the saml 
> assertions initially. When we had done performance testing, 
> we had gotten reasonable numbers. However now with signing 
> turned on, I see the response time degrade significantly. 

It will degrade pretty significantly no matter what you do, because the
signing outweighs basically every XML operation. That said...

> This gets worse as the load increases.

This is because you're thrashing the CPU. No matter how fast it gets, if
you're saturating the CPU, you need to keep the number of threads reasonable
to avoid context switching overhead. With the old library you're using, we
found that any more than about 5 active threads would kill a CPU. We didn't
get good performance, but we got consistent performance if we throttled it.

>  I know there has been a lot of fixes put into the xmlsec-1.1 
> version and would like to know what your experience has been. 
> If I were to use the new xmlsec jar file, is that the only 
> jar to replace or the corresponding xalan jar is also needed.

OpenSAML 1.0 includes xmlsec 1.1. It speeds up signing by roughly a factor
of 3, so it's like night and day. If you're using an earlier version of my
code, I can't promise the 1.1 version will work, since it isn't supported.
Endorsing Xalan is only an issue if you're running JDK 1.4.2_05. Or you can
grab the latest xmlsec cvs code that has a fix.

-- Scott