15.6 Monitoring Identity Server Statistics

The Statistics page allows you to monitor the amount of data and the type of data the Identity Server is processing. You can specify the intervals for the refresh rate and, where allowed, view graphic representations of the activity.

  1. In the Administration Console, choose Devices > Identity Servers.

  2. In the Statistics column, click View.

    Identity Server activity
  3. Click either of the following options:

    Statistics: Select this option to view the statistics as currently gathered. The page is static and the statistics are not updated until you click Live Statistics Monitoring.

    Live Statistics Monitoring: Select this option to view the statistics as currently gathered and to have them refreshed at the rate specified in the Refresh Rate field.

  4. Review the following statistics:

  5. Click Close to return to the Servers page.

15.6.1 Application

Statistic

Description

Free Memory

The percentage of free memory available to the JVM (Java Virtual Machine). Click Graphs to view memory usage for a specific unit of time (1 hour, 1 day, 1 week, 1 month, 6 months, or 12 months). The Value axis displays the percentage of memory that is free for the selected time period.

15.6.2 Authentications

Statistic

Description

Provided Authentications

The number of successful provided authentications given out to external entities since the Identity Server was started.

Consumed Authentications

The number of successful consumed authentications since the Identity Server was started.

Provided Authentication Failures

The number of failed provided authentications given out to external entities since the Identity Server was started.

Consumed Authentication Failures

The number of failed consumed authentications since the Identity Server was started.

Logouts

The number of explicit logouts performed by users. This does not include logouts where an inactive session was destroyed.

Cached Sessions

The number of currently active cached user sessions. This represents the number of users currently logged into the system; however, if a single person has two browser windows open on the same client and if that person performed two distinct authentications, then that person has two user sessions.

Click Graphs to view the number of cached sessions for a specific unit of time (1 hour, 1 day, 1 week, 1 month, 6 months, or 12 months). The Value axis displays the number of cached sessions. If no sessions have been cached, the value axis is not meaningful.

Cached Ancestral Sessions

The number of cached ancestral session IDs. An ancestral session ID is created during the failover process. When failover occurs, a new session is created to represent the previous session. The ID of the previous session is called an “ancestral session ID,” and it is retained for subsequent failover operations.

Cached Subjects

The number of current cached subject objects. Conceptually, the cached subjects are identical to the cached principals.

Cached Principals

The number of current cached principal objects. A principal can be thought of as a single directory user object. Multiple users can log in using a single directory user object, in which case multiple cached sessions would exist sharing a single cached principal.

Cached Artifacts

The number of current cached artifact objects. During authentication, an artifact is generated that maps to an assertion. This cache holds the artifact to assertion mapping until the artifact resolution request is received. Under normal operations, artifacts are resolved within milliseconds of being placed in this cache.

15.6.3 Incoming HTTP Requests

Incoming HTTP requests are divided into three categories: active, interval, and historical. As soon as a request is complete, it is placed into the interval category. The interval represents the last 60 seconds of processed requests. At the completion of the 60-second interval, all requests in the interval category are merged into the historical category.

Statistic

Description

Total Requests

The total number of incoming HTTP requests that have been processed since the Identity Server was started. Click Graphs to view the number of requests for a specific unit of time (1 hour, 1 day, 1 week, 1 month, 6 months, or 12 months). The Value axis displays the number of requests for the selected time period.

Currently Active Requests

The number of currently active incoming HTTP requests.

Oldest Active Request (Milliseconds)

The age of the oldest currently active incoming HTTP request.

Last Interval Maximum Request Duration (Milliseconds)

The age of the longest incoming HTTP requests that was processed during the last 60-second interval.

Last Interval Mean Request Duration (Milliseconds)

The mean age of all incoming HTTP request that were processed during the last 60-second interval.

Historical Maximum Request Duration (Milliseconds)

The age of the longest incoming HTTP request that was processed since the Identity Server was started.

Historical Mean Request Duration (Milliseconds)

The mean age of all incoming HTTP requests that were processed since the Identity Server was started.

15.6.4 Outgoing HTTP Requests

Outgoing HTTP requests are divided into three categories: active, interval, and historical. As soon as a request is complete, it is placed into the interval category. The interval represents the last 60 seconds of processed requests. At the completion of the 60-second interval, all requests in the interval category are merged into the historical category.

Statistic

Description

Total Requests

The total number of outgoing HTTP requests that have been processed since the Identity Server was started. Click Graphs to view the number of requests for a specific unit of time (1 hour, 1 day, 1 week, 1 month, 6 months, or 12 months). The Value axis displays the number of requests for the selected time period.

Currently Active Requests

The number of currently active outgoing HTTP requests.

Oldest Active Request (Milliseconds)

The age of the oldest currently active outgoing HTTP request.

Last Interval Maximum Request Duration (Milliseconds)

The age of the longest outgoing HTTP request that was processed during the last 60-second interval.

Last Interval Mean Request Duration (Milliseconds)

The mean age of all outgoing HTTP requests that were processed during the last 60-second interval.

Historical Maximum Request Duration (Milliseconds)

The age of the longest outgoing HTTP request that was processed since the Identity Server was started.

Historical Mean Request Duration (Milliseconds)

The mean age of all outgoing HTTP requests that were processed since the Identity Server was started.

15.6.5 Liberty

Statistic

Description

Liberty Federation

The number of Liberty protocol federations performed since the Identity Server was started.

Liberty De-Federations

The number of Liberty protocol defederations performed since the Identity Server was started.

Liberty Register-Names

The number of Liberty protocol register names performed since the Identity Server was started.

15.6.6 SAML 1.1

Statistic

Description

SAML1.1 Attribute Queries

The number of SAML 1.1 protocol attribute queries performed since the Identity Server was started.

15.6.7 SAML 2

Statistic

Description

SAML2 Attribute Queries

The number of SAML 2 protocol attribute queries performed since the Identity Server was started.

SAML2 Federations

The number of SAML 2 protocol federations performed since the Identity Server was started.

SAML2 Defederations

The number of SAML 2 protocol defederations performed since the Identity Server was started.

SAML2 Register-Names

The number of SAML 2 protocol register names performed since the Identity Server was started.

15.6.8 WSF (Web Services Framework)

Statistic

Description

Personal Profile Service Queries

The number of Liberty IDSIS Personal Profile Web Service queries performed since the Identity Server was started.

Personal Profile Service Modifies

The number of Liberty IDSIS Personal Profile Web Service changes performed since the Identity Server was started.

Employee Profile Service Queries

The number of Liberty IDSIS Employee Profile Web Service queries performed since the Identity Server was started.

Employee Profile Service Modifies

The number of Liberty IDSIS Employee Profile Web Service changes performed since the Identity Server was started.

Custom Profile Service Queries

The number of Novell Custom Profile Web Service queries performed since the Identity Server was started.

Custom Profile Service Modifies

The number of Novell Custom Profile Web Service changes performed since the Identity Server was started.

Credential Profile Service Queries

The number of Novell Credential Profile Web Service queries performed since the Identity Server was started.

Credential Profile Service Modifies

The number of Novell Credential Profile Web Service changes performed since the Identity Server was started.

Authentication Profile Service Queries

The number of Novell Authentication Profile Web Service queries performed since the Identity Server was started.

Authentication Profile Service Modifies

The number of Novell Authentication Profile Web Service changes performed since the Identity Server was started.

LDAP Profile Service Queries

The number of Novell LDAP Profile Web Service queries performed since the Identity Server was started.

LDAP Profile Service Modifies

The number of Novell LDAP Profile Web Service changes performed since the Identity Server was started.

Constant Profile Service Queries

The number of Novell Constant Profile Web Service queries performed since the Identity Server was started.

Discovery Service Queries

The number of Liberty Discovery Web Service queries performed since the Identity Server was started.

Discovery Service Modifies

The number of Liberty Discovery Web Service changes performed since the Identity Server was started.

Redirected Interaction Service Requests

The number of Liberty User Interaction Redirection Profile requests performed since the Identity Server was started.

Trusted Interaction Service Requests

The number of Liberty User Interaction Trusted Service Profile requests performed since the Identity Server was started.

Client of Redirected Interaction Service Requests

The number of Liberty User Interaction Redirection Profile requests initiated as a client since the Identity Server was started.

Client of Trusted Interaction Service Requests

The number of Liberty User Interaction Trusted Service Profile requests initiated as a client since the Identity Server was started.

Data Location LDAP

The number of attempts to use LDAP as a data location for a query or a modify of any Web Service since the Identity Server was started.

Data Location LDAP Aggregation

The number of attempts to use LDAP as a data location for aggregation of a query or a modify of any Web Service since the Identity Server was started.

Data Location User Profile

The number of attempts to use the User Profile object as a data location for a query or a modify of any Web Service since the Identity Server was started. A User Profile object is a directory object stored in the Identity Server's configuration datastore.

Data Location User Profile Aggregation

The number of attempts to use the User Profile object as a data location for aggregation of a query or a modify of any Web Service since the Identity Server was started. A User Profile object is a directory object stored on the Identity Server's configuration datastore.

Data Location Remote

The number of attempts to use the Remote location as a data location for a query or a modify of any Web Service since the Identity Server was started. A Remote location includes Pushed Attributes and External Services.

Data Location Pushed Attributes

The number of attempts to use the Pushed Attributes as a remote data location for a query or a modify of any Web Service since the Identity Server was started.

Data Location Pushed Attributes Aggregation

The number of attempts to use the Pushed Attributes as an remote data location for aggregation of a query or a modify of any Web Service since the Identity Server was started.

Data Location External Service

The number of attempts to use an External Service as a remote data location for a query or a modify of any Web Service since the Identity Server was started. An External Service is where the same Web Service exists on an external Service Provider and a call can be made to request data from the service.

15.6.9 Clustering

An authoritative server is the cluster member that holds the authentication information for a given user session. For a request associated with a given session to be processed, it must be routed (“proxied”) to the authoritative cluster member. If an L4 switch causes a request to go to a non-authoritative cluster member, that cluster member proxies the request to the authoritative cluster member.

When a request is received, a cluster member uses multiple means to determine which cluster member is the authoritative server for the request. It looks for a parameter on the query string of the URL indicating the authoritative server. It looks for an HTTP cookie, indicating the authoritative server. If these do not exist, the cluster member examines the payload of the HTTP request to determine the authoritative server. Payload examinations result in immediate identification of the authoritative server or a user session ID or user identity ID that can be used to locate the authoritative server.

If a user session ID or user identity ID is found, the ID is broadcast to all cluster members asking which member is the authoritative server for the given ID. The authoritative server receives the broadcast message, determines that it indeed holds the given session or user, and responds accordingly.

The higher the number of proxied requests, the lower the performance of the entire system. Furthermore, the higher the number of payload examinations and ID broadcasts, the lower the performance of the entire system. If these numbers are high, verify the configuration of the L4 switch. Make sure that the session persistence option is enabled, which allows clients to be directed to the same Identity Server after they have established a session.

Statistic

Description

Currently Active Proxied Requests

The number of currently active proxied HTTP requests.

Total Proxied Requests

The total number of proxied requests that have been processed since the Identity Server was started. A request becomes a proxied request when the request is sent first to a non-authoritative machine.

Total Non-Proxied Requests

The total number of non-proxied requests that have been processed since the Identity Server was started. A request becomes a non-proxied request when the request is sent first to the authoritative machine.

Authoritative Server Obtained from URL Parameter

The total number of authoritative servers identified by using the parameter from the URL query string since the Identity Server was started.

Authoritative Server Obtained from Cookie

The total number of authoritative servers identified by using the HTTP cookie since the Identity Server was started.

Payload Examinations

The total number of attempted payload examinations to identify the authoritative server since the Identity Server was started.

Successful Payload Examinations

The total number of successful payload examinations to identify the authoritative server since the Identity Server was started.

Identity ID Broadcasts

The total number of attempted Identity ID Broadcasts to identify the authoritative server since the Identity Server was started.

Successful Identity ID Broadcasts

The total number of successful Identity ID Broadcasts to identify the authoritative server since the Identity Server was started.

Session ID Broadcasts

The total number of attempted Session ID Broadcasts to identify the authoritative server.

Successful Session ID Broadcasts

The total number of successful Session ID Broadcasts to identify the authoritative server since the Identity Server was started.

15.6.10 LDAP

Statistic

Description

Connections Created

The total number of LDAP connections created since the Identity Server was started. This count is a sum of all connections created to all replicas of the configuration datastore and all user stores.

Connections Destroyed

The total number of LDAP connections destroyed since the Identity Server was started. This count is a sum of all connections destroyed on all replicas of the configuration datastore and all user stores.

Connections Reused

The total number of times an LDAP connection was reused for a subsequent administrative task since the Identity Server was started.

Connections Shared Between Pools

The total number of times an LDAP connection count has been shared between connection pools since the Identity Server was started. Each LDAP replica contains two connection pools: the user connection pool and the administration connection pool.

  • User connections are used to authenticate users and they are created and immediately destroyed.

  • Administration connections are persisted in the pool and reused for administrative tasks.

Each pool has a maximum number of current connections it is allowed to hold at any one time. Initially, the number of allowed connections is allocated evenly between the two pools. If a much greater demand is detected for one pool over the other, then the pools reallocate their maximum number of connections, increasing one pool's maximum by one and decreasing the other pool's maximum by one. When this happens, it is said that the pool “shared” a connection with the other pool.

User Store Replica Restarts

The number of times that a user store replica became unavailable so that a restart was necessary since the Identity Server was started. A user store restart is attempted once every minute.

Successful User Store Replica Restarts

The number of times that a user store replica restart was successfully completed since the Identity Server was started.

User Store Replica Restart Retries

The number of times that a user store replica restart failed and was put back into “wait mode” to try again in one minute since the Identity Server was started.

Currently Active Connection Waits

The current number of user threads waiting for an LDAP connection to become available.

Connection Waits

The number of times that a user thread was required to wait for an LDAP connection to become available since the Identity Server was started. A wait would be required if the maximum number of connections allocated to the associated connection pool were all currently in use by other threads.

Connection Waits Aborted Due To Timeout

The number of times that an LDAP connection wait terminated because of the Identity Server timing out since the Identity Server was started. This would result in an LDAP Service Not Available error.

Connection Waits Aborted Due To Closed Pool

The number of times that an LDAP connection wait terminated because of a closed connection pool since the Identity Server was started. This would normally be caused by an LDAP replica failing while the user thread is waiting for the connection. This would result in an LDAP Service Not Available error.

15.6.11 SP Brokering

Statistic

Description

Total Brokering Requests

The total number of brokering requests created since the Identity Server was started. This count is a sum of all connections created to all replicas of the configuration datastore and all user stores.

Total Brokering Requests Denied Due to Group Check

The total number of brokering authentication requests denied in a target service provider. The brokering group can either be the identity provider or target service provider but both deos not belong to the same group.

Total Brokering Requests Denied Due to Role Deny

The total number of brokering authentication requests to a target service provider denied due to broker policy evaluation denying the role.

Total Brokering Requests Passed

The total number of brokering requests passed since the Identity Server was started.