Slowness while login and/or password reset/Unlock Account

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

We’re currently experiencing performance issues within the SailPoint IdentityIQ module. This is causing delays when loading certain pages when accessing specific functionalities.
1- When a user tries to access the sailpoint URL and provides the credentials, by clicking submit, it takes an average of 43 seconds to load and access the HomePage.
2- When accessing the “Forget Password” or “Unlock Password” functionality on the login page, it takes an average of 41 seconds to load the page to provide the updated password.
3- Once the “Forget Password” functionality is available, an OTP is generated. Once the OTP values and the passwords are provided, and on clicking Submit it takes around the same amount of time(average of 42 seconds) to validate and update the result for the same.

Any thoughts or suggestions on how can we fix that?

@MuhammadMustafa , does you have any provisioning or requests being triggered on the UI servers?

Login, password reset or unlock are foregrounds.therefore it appears that the server is waiting the thread to be pickup and executed.
Also communications with the AD could also cause slowliness.

Can you provide more info about the architecture.

Hi @MuhammadMustafa

It would be possible provide more information about your architecture, use of load balancer, what application server you are using, etc…
From other side, can you provide more details about your authentication method. it is through Active Directory?

Finally, please provide any log to check the error that you are facing.

Hey @ipobeidi thanks for your response,

• Does you have any provisioning or requests being triggered on the UI servers?
  nope, it’s only 1 server not a big Env at all, also we are leveraging the Password Rest Functionalities only for this deployment.

• Login, password reset or unlock are foregrounds.therefore it appears that the server is waiting the thread to be pickup and executed.
  Exaclty, but unfortunately it’s not the case.

• Also communications with the AD could also cause slowliness.
  I’m suspecting that as of now, but don’t know what might cause a delay :), especially when my colleague checked the test connection and it’s taking about/more 1.3 mins

• Can you provide more info about the architecture.
  Simply 1 server, no LB, PTA authentication via AD, PWI & DPR (for password reset), integration with a private/custom SMS gateway.
  So it’s a simple one

We are investigating now with SailPoint Support as well.

Hey @ismaelmoreno1

It would be possible to provide more information about your architecture, use of load balancer, what application server you are using, etc…

Simply 1 server, no LB, PTA authentication via AD, PWI & DPR (for password reset), integration with a private/custom SMS gateway, tomcat 9.0.85
So it’s a simple one

From other side, can you provide more details about your authentication method. it is through Active Directory?

Yup AD PTA

Finally, please provide any log to check the error that you are facing.
I will try to raise the logs and see, will keep you posted

Do you have multiple custom quicklink in your env ?

Hey thanks for the responses.
How many threards does this server have? Also could you enable debug on the IQservice and log in and se how long it take to send the response back?

best!

Hi @vishal_kejriwal1 nope, we don’t have

we have seen this issue were we have the custom and complex membership rule for some of the quicklink ( custom / ootb) . When you click on any of the quick-link pretty much system will try to execute all the quick-link membership rule and can take more time .

It looks like you have multiple authentication (login) options enabled and the 1st one is giving a timeout.

I have seen the same when Pass-Through Authentication was enabled to an AD, where the AD server was not responding. After a timeout IIQ switched to Internal IdentityIQ Authentication.

You might also have MFA enabled without a proper configuration.

Can you check which Login options are enabled and try to disable 1-by-1 to see if the login (and others) are fast again (Gear->General Settings->Login Configuration).

Please take a look at the following link for more information:
https://community.sailpoint.com/t5/Technical-White-Papers/IdentityIQ-Login-Configuration/ta-p/76904

– Remold

You can also check the variable on the system configuration to tweak the login duration:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Configuration PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Configuration created="1608312632666" id="7f00000176761712817676e7355a00e4" modified="1712689788409" name="SystemConfiguration">
  <Attributes>
    <Map>
      <entry key="AccountGroupPermissions.challengeGenerationEmailTemplate" value="Account Group Challenge Creation Notification"/>
      **<entry key="LoginAuthDurationMillis" value="3600000"/>**
      <entry key="ProtectedUserLockout" value="true"/>

or also change the Login Error Style to see what IIQ is receiving it .

Hi @vishal_kejriwal1 after checking, yes our team created a simple quicklink however they removed it now and the issue still persists, unfortunately.

Thanks a lot for your note and suggestion

Hi @Remold we don’t have multiple auth options/methods our team double-checked that.

Thanks a lot for your note nad suggestion :).

Hi @ipobeidi I will check this one and let you know.
However, the support team (SailPoint support) saying most probably it’s a network/connection issue.

Will keep you all posted here as we are already opening a case with SailPoint support

Any ootb quicklink were you modified visibility based on complex membership rule ?

Hi @vishal_kejriwal1 Nope, our team confirmed that however, I will double-check again by myself on Monday.

Did you try checking with db team that which query is taking more time ?