We have implemented SSO for designer, gateway, and vision clients using 8.1.3. When we login to the gateway or a perspective session, the process is smooth and takes around 2-3 seconds max.
However, when we login to a designer or vision client the process takes around 13-15 seconds and the webpage which you are redirected to flashes “Chunked IDP Authentication” multiple times.
We have an open ticket for this [#11650] but have not received any response. We need to get the login time to a vision client down to the 2-3 sec that it takes to log into perspective because we will be rolling out SSO to a lot of sites and this will be an annoyance to everyone who logs in.
Thanks,
Nick
It doesn’t surprise me that it takes longer in Vision to get a SAML response because the current solution breaks up the SAML POST Response into multiple get requests (the “chunks”) and sends each chunk to the Vision client’s runtime to re-assemble the response there. With Perspective, if you’re already in a web browser, this extra complexity isn’t needed, whereas in Vision / Designer you are running on a native app and there are some extra challenges with IPC between the browser where you do IdP login and the native app that you want to log into.
That’s not to say that the existing process’s performance could not be improved, though in order to improve it, we’ll need some more information. Would you be able to perform a login to Vision using the same IdP, but with a test user whose credentials you wouldn’t care about? Before submitting your login credentials at the IdP, open up your web browser’s dev tools and record the network activity, and then submit your credentials and let the recording play out until you land on the terminal page which says something to the effect of “You may now close this browser tab”. Stop the recording at this point, and DM me the recording file (on chrome I believe it is a ‘.har’ file).
There really isn’t much of a workaround if you are using a SAML IdP for logging into Vision, unless your SAML IdP is sending unnecessarily large amounts of data on each response that you do not need, you could see if you could reconfigure something to only send what is necessary to reduce the size of the SAML response, thereby reducing the number of “chunks”. If the current performance is unacceptable in your situation, you could use the classic authentication strategy and point to the same active directory or database user source that is used by your SAML IdP. You could also check to see if your IdP supports OIDC, which should not suffer the same performance drawbacks.
@jspecht sorry for my slow response. On the ticket below, we showed the help desk engineer the issue and at that time we took a recording in chrome which we sent to them. If you don’t have access to that data but would like it let me know and I will send it to you.
Also, to confirm, the response is a total of 13kb so I don’t think that represents a heavy load.
I will check if our SAML can support OIDC but in general we would like to see the speed of vision login be much closer to perspective. We are using vision because of the large number of tags (several 100 thousand) perspective speed performance is expected to be insufficient.
[#11650]
Thanks,
Nick