Thursday, March 07, 2013 4:14 PM
I have a client with 1.5M users and they want to use it for self service user profile and group management. Has anyone implemented FIM in such a large scale before?
I am mainly worried about Sync. I think I should use sync in classical way (no declarative provisioning, no sync rules) to keep it performant. But still will Sync be able to handle it? How long initial sync and incremental sync may take? What are the potential challenges I might encounter? Any kind of suggestions/comments would be appreciated.
Also, how many FIM Portals I may need to put? Is 8 a right number, or 4 should be enough? Is there anything I should be worried about?
Thursday, March 07, 2013 8:19 PM
Well ... I think that it would be hard to find many people with experience at this scale - few folks in US who handles US Air Forca and some education comes to my mind. Best would be probably to try to involve product group if you can. You should look for a slide deck from one of TechEds in US where MS IT is showing their numbers, this should give you good overview of a scale you may need for this.
Just few quick thoughts here:
- Being me I would challenge myself if to use FIM Service and portal at this project at all. Probably I would go for a lightweight custom application for group self-service and solution based on SQL database underneath with some well defined scenarios for self-service/ approval paths etc. Well though architecture and it will provide both - scale and flexibility.
- Even if use FIM service for it, I would still go for custom light weighted application for end-users. However using FIM Service with FIM Synch in this particular scenario might be challenging for some reasons. One of them being only single FIM MA being able to connect to given FIM Service instance.
- If using FIM Service, question might be why to use synch service: you may execute actions from workflow directly. However load might be significant and it rises at least several other problem, where ensuring transaction integrity and applying it in case of failure and re-conciliation of a group is not the most challenging. Scale will be a problem again.
- With solution based on some SQL database, custom front-end app for self-service I would go for synchronization engine, however to deliver this on this scale I would partition the synchronization to use multiple synchronization engines, where each synch would synchronize some part of a data (partition let call it) with groups and users. This approach was taken if I remember correctly in one of US states to synchronize several hundred of k of objects to a cloud.
Basically ... a lot of planning and architecting to make such solution working for users. I doubt this is something you will get answered and resolved on Forum.
Tomek Onyszko, memberOf Predica FIM Team (http://www.predica.pl), IdAM knowledge provider @ http://blog.predica.pl