Performance Issues in SCIM User Lookup of "/ids/Users" Endpoint

[adrianhoelzl-sap]

The endpoint "/ids/Users" allows filtering the users of an identity zone by ID and/or username by using a SCIM filter. Furthermore, it (optionally) allows restricting the result to only those users that come from an active IdP.

In the endpoint handler, this filter for active origins is implemented by constructing an additional clause in the SCIM filter: first, all active IdPs in the current identity zone are read. Second, for each of their origins, the clause origin eq <origin key> is added to the SCIM filter (combined by using the or operator).

This modified SCIM filter is then passed to the endpoint handler of the regular SCIM users endpoint, where an SQL query is generated from it. Analogous to the SCIM filter, this query will contain a WHERE clause containing one origin = <origin key> condition for each origin of an active IdP.

Especially for large number of active IdPs in an identity zone, the execution of this query will become less performant.

Due to the nature of the original SCIM filter, i.e., only allowing the username and/or the ID of the user, there will be relatively few matches. Therefore, the following approach is more efficient:

First, fetch users by applying the initial filter (i.e., the one containing only conditions regarding the user's ID and/or username). Then, if necessary (i.e., if only users from active IdPs shall be returned), these IdPs are to be read and the users list finally filtered for the origins of the active IdPs in Java code.

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/186970848

The labels on this github issue will be updated when the story is started.