OpenSAML user discussion

[Smith Baylor <>]

No matter what you do, software version of XML security libraries will
not cut it.  You will need a specialized appliance - fine tuned
hardware/software combination.  Note that using Java will also degrade
performance here.  You will need straight C with hardware acceleration
to do a reasonable job.

IBM or Sun folks may say use more hardware - but, my experience states
that this is a very expensive and a unreasonable proposition.

--Smith


On Thu, 14 Oct 2004 13:45:43 -0400, Scott Cantor 
<>
 wrote:
> > I have been using opensaml and was not signing the saml
> > assertions initially. When we had done performance testing,
> > we had gotten reasonable numbers. However now with signing
> > turned on, I see the response time degrade significantly.
> 
> It will degrade pretty significantly no matter what you do, because the
> signing outweighs basically every XML operation. That said...
> 
> > This gets worse as the load increases.
> 
> This is because you're thrashing the CPU. No matter how fast it gets, if
> you're saturating the CPU, you need to keep the number of threads reasonable
> to avoid context switching overhead. With the old library you're using, we
> found that any more than about 5 active threads would kill a CPU. We didn't
> get good performance, but we got consistent performance if we throttled it.
> 
> >  I know there has been a lot of fixes put into the xmlsec-1.1
> > version and would like to know what your experience has been.
> > If I were to use the new xmlsec jar file, is that the only
> > jar to replace or the corresponding xalan jar is also needed.
> 
> OpenSAML 1.0 includes xmlsec 1.1. It speeds up signing by roughly a factor
> of 3, so it's like night and day. If you're using an earlier version of my
> code, I can't promise the 1.1 version will work, since it isn't supported.
> Endorsing Xalan is only an issue if you're running JDK 1.4.2_05. Or you can
> grab the latest xmlsec cvs code that has a fix.
> 
> -- Scott
> 
>