Share all details related to your problem, including any error messages you may have received.
We’re currently experiencing performance issues within the SailPoint IdentityIQ module. This is causing delays when loading certain pages when accessing specific functionalities.
1- When a user tries to access the sailpoint URL and provides the credentials, by clicking submit, it takes an average of 43 seconds to load and access the HomePage.
2- When accessing the “Forget Password” or “Unlock Password” functionality on the login page, it takes an average of 41 seconds to load the page to provide the updated password.
3- Once the “Forget Password” functionality is available, an OTP is generated. Once the OTP values and the passwords are provided, and on clicking Submit it takes around the same amount of time(average of 42 seconds) to validate and update the result for the same.
Any thoughts or suggestions on how can we fix that?
@MuhammadMustafa , does you have any provisioning or requests being triggered on the UI servers?
Login, password reset or unlock are foregrounds.therefore it appears that the server is waiting the thread to be pickup and executed.
Also communications with the AD could also cause slowliness.
It would be possible provide more information about your architecture, use of load balancer, what application server you are using, etc…
From other side, can you provide more details about your authentication method. it is through Active Directory?
Finally, please provide any log to check the error that you are facing.
Does you have any provisioning or requests being triggered on the UI servers?
nope, it’s only 1 server not a big Env at all, also we are leveraging the Password Rest Functionalities only for this deployment.
Login, password reset or unlock are foregrounds.therefore it appears that the server is waiting the thread to be pickup and executed.
Exaclty, but unfortunately it’s not the case.
Also communications with the AD could also cause slowliness.
I’m suspecting that as of now, but don’t know what might cause a delay :), especially when my colleague checked the test connection and it’s taking about/more 1.3 mins
Can you provide more info about the architecture.
Simply 1 server, no LB, PTA authentication via AD, PWI & DPR (for password reset), integration with a private/custom SMS gateway.
So it’s a simple one
We are investigating now with SailPoint Support as well.
It would be possible to provide more information about your architecture, use of load balancer, what application server you are using, etc…
Simply 1 server, no LB, PTA authentication via AD, PWI & DPR (for password reset), integration with a private/custom SMS gateway, tomcat 9.0.85
So it’s a simple one
From other side, can you provide more details about your authentication method. it is through Active Directory?
Yup AD PTA
Finally, please provide any log to check the error that you are facing.
I will try to raise the logs and see, will keep you posted
Hey thanks for the responses.
How many threards does this server have? Also could you enable debug on the IQservice and log in and se how long it take to send the response back?
we have seen this issue were we have the custom and complex membership rule for some of the quicklink ( custom / ootb) . When you click on any of the quick-link pretty much system will try to execute all the quick-link membership rule and can take more time .
It looks like you have multiple authentication (login) options enabled and the 1st one is giving a timeout.
I have seen the same when Pass-Through Authentication was enabled to an AD, where the AD server was not responding. After a timeout IIQ switched to Internal IdentityIQ Authentication.
You might also have MFA enabled without a proper configuration.
Can you check which Login options are enabled and try to disable 1-by-1 to see if the login (and others) are fast again (Gear->General Settings->Login Configuration).
Hi @ipobeidi I will check this one and let you know.
However, the support team (SailPoint support) saying most probably it’s a network/connection issue.
Will keep you all posted here as we are already opening a case with SailPoint support
Thanks a lot for your support ,I got a reply from SailPoint and it’s resolved, will add it now to share with other guys whom supported me here in the post/topic
There was an overall delay in loading identityIQ Password Reset pages – delay of 43 secs.
The Overall test connection to AD application delay was of 1.31 mins. For password reset via SMS there was a delay of 43 secs.
To confirm, we also monitored the network latency to see if there was traffic but with no issues there.
We also raised the log levels and found a delay of 43 seconds was coming up while creating runSpace for implementing the operations from SailPoint IdentityIQ.
Solution
After providing IP in Domain Configuration (In Servers settings of AD Application definition), the Test connection was quick and the reset password also got executed successfully within 5 seconds.
Added all IPs of all DCs under the Servers list and performed use cases to validate the results and all the password resets and delays in loading the page were resolved.
Explanation for the solution
It is important to provide the IP addresses of all the domain controllers in the server list of forest and domain configurations.
*** What happens when this is not configured?***
When you are not provided with the list of servers under the configuration, IQService runs a command in PowerShell that executes a statement and fetches the available DC.
This PowerShell script run takes delay causing the test connection and update on password reset to take longer time.
On the other hand, when you provide with the list of IPs of the domain controllers under the configuration, IQService, since already knowing the list of IP addresses, IQService will randomly go to one DC and fetch the details.
Hence, there is no delay since IQService is not going to PowerShell and running the script run.