1. SSO data storage volume
Preliminary note: the figures are raw data based on a rule (pessimistic) indicating that in order for Microsoft to store data of 10 bytes, Active Directory requires 100 bytes (for storing data, replication, index, etc.)
There are several types of user's data to be stored in the Active Directory server as follows:
- Information about the user tokens
- The encryption keys and user accounts
- User profiles
Application's parameters are stored in Active Directory in the following objects:
- The applications Access Strategy
- The objects containing application access rules
1.1 User's data
1.1.1 Token Objects
A token has a maximum of 25 attributes (in addition to the basic attributes), which is about 350 bytes of net data or 3.5 kBytes of raw data (1 kByte for the basic attributes and 25 attributes about 10 bytes, 250 * 10 = 2.5 kBytes).
1.1.2 Encryption keys and user accounts
The user's encryption keys are stored in the enatelSSOStorage object under user's object. This object has a size of about 900 bytes of net data and 9 kBytes of raw data:
- 1 kByte for the base object
- At least 3 entries for SSO keys: the SSO personal key, the SSO recoverable key, the SSO recovery key. Each key is 1024 bits or 128 bytes. They are stored as a string of 256 bytes, which represent 2560 bytes per key (applying the Microsoft rule).
Hence 1024 + 2560 x 3 = 8704 bytes, or approximately 9 kBytes.
For each account (enatelSSOAccount object) are stored: the login, the encrypted password, and a passwords history over various internal information, ie, on the assumption of a history of the last 3 passwords approximately 200 bytes of net data and 2 kBytes of raw data:
- 1 kByte base
- An identifier of 7-characters => 70 bytes
- 3 old passwords + 1 = 4 passwords, encrypted with a key of 128 bits which means 4 x 16 x 10 = 640 bytes
Hence 1024 + 70 + 640 = 1734, or rounded, about 2 kBytes.
An account can also have additional parameters that are each about 1.5 kBytes of raw data. Taking as an average one additional parameter to 3 applications (in the worst case) we arrive at 0.05 kBytes (0.5 kBytes) per account.
1.1.3 User's Profiles
An object with 100 bytes of net data, 2 kBytes of raw data.
The number of user profiles depends on the configuration implemented: it can exist only up to as much as users (extreme case), but generally they are assigned to groups or units organization.
1.2 Application storage objects
The configuration is stored in the Active Directory in form of several objects:
- Application: 2 kBytes net data and 21 kBytes of raw data
- Applications Access Strategies: 100 bytes of net data means total of 2 kBytes raw data
- the Application Link "if any": supposing two objects 16 and 32 bytes of net data, or 2.5 kBytes of raw data
Therefore, a user belonging to a "population " that accesses 10 applications.
1.3.1 SSO Data
0.9 + 10 x 0.2 + 10 x 0.05 = 3.4 kBytes
10000 users means 34 MBytes.
9 + 10 x 2 + 10 x 0.5 = 34 kBytes
10000 users means 340 MBytes
1.3.2 Data Configuration
If we assume on the basis of 450 applications, we arrive at 450 x 2 = 900 kBytes net data (21 * 450 = 9450 kBytes of raw data).
The number of Application Access Strategies object is variable: there may be only one, but it can also be several for each application (in a really extreme case).
If we consider that each "population" accesses an average of 10 applications, we have 10 relationships "population"-application, 10 pairs of objects relationship "populations"-Application, which is 48 bytes x 10 = 480 bytes of net data and 2.5 x 10 = 25 kBytes raw data.
With 250 in the populations, we have an average of 10 applications access over 450, or 250 x 10 = 2500 access either 2500 x 48 bytes = 120 kBytes of net data and 2500 x 2.5 = 6250 kBytes of raw data.
From experience, for 450 applications and 10,000 users, we find an average of 10 Application Access Strategies, 100 x 10 = 1 kByte net data and 20 kBytes of raw data.
From experience on 10,000 users, there is an average of 10 profiles, which means 1 kByte of net data and 20 kBytes of raw data.
In summary, we arrive at:
450 x 2 + 250 x 10 x 0.48 + 1 + 1 = 2102 kBytes (about 2.1 MBytes)
450 x 21 + 250 x 10 x 2.5 + 20 + 20 = 15740 kBytes (about 15.74 MBytes)
1.3.3 Total space occupation
Given the assumptions on the number of users and number of applications, we obtain the following information:
2.1 MBytes + 34 MBytes = 36.1 MBytes (rounded to 36 MBytes)
15.74 MBytes + 340 MBytes = 355.74 MBytes (rounded to 356 MBytes)
Note: This size does not take into account the fragmentation caused by the Active Directory storage system. In fact, a large fragmentation could lead to a double size.
2. Audit Volume
To take into account the volume of audit data generated, the following standard user's scenario indicates:
A user performs each day:
- 1 logon with Authentication Manager to automatically launch Enterprise SSO.
- 10 applications launched with Enterprise SSO.
- 1 application password change made by Enterprise SSO.
- 5 lock / unlock sessions via Authentication Manager.
In this scenario, the required space in the database for a user is about 20 kBytes per day.