About Access Gateway capacity planning and sizing

Determining required capacity in your Okta Access Gateway implementation is crucial to achieving performance.


Capacity Planning Concepts

Planning an Access Gateway deployment with performance in mind is the first step to success. A typical approach is to estimate the peak number of authentication and authorization expected per application.

In general the following areas impact performance:

  • Users - The total number of system users.
  • Accesses - The total number of times a user accesses a system per time period. Typically, we use 24 hours as a basic time interval. However, estimates over longer periods, weeks even months, will result in better estimations.
  • Peak authentication/authorization rates - Peak rates represent the highest expected level of user authentication/authorization in a given period. Peak rates represent the highest expected levels of access.
  • Average authentication/authorization rates - Average or sustained authentication/authorization rates represent the expected norm over the course of a given time period, such as a single day.

In addition, the total number of applications protected by Access Gateway factors in to capacity planning.

Estimating Access Rates

Average access rates represent a general lower bound on how many accesses a given instance of Access Gateway needs to support. We can estimate average access rates by looking at sets of users that access the system.

Estimating the average access rate requires the determination of:

  • Total users - How many users are served by this instance, in total. Total users represents all users who might ever access the gateway.
  • Estimated daily users - The percentage of users who actually use an application in a given day.
  • Estimated daily accesses- The number of times a given user accesses an application in a given day.
  • Page accesses per login- For a given set of authenticated users, how many page accesses are expected during a single session?

With these concepts in mind we can estimate an average authentication rate as:

Average users = Total users * estimated daily users.

Average accesses = average users * estimated daily accesses.

We can then extrapolate overall accesses by examining:

overall accesses = Average accesses * page accesses.

For example, consider three groups of users, each accessing the system, but at different levels.

  • Frequent users - frequent users access the system regularly, typically multiple times per day.
  • Infrequent users - Infrequent users access the system on occasion but with a much lower frequency.
  • Rare users. - Rare users access the system.

For example:

Assuming a total number of users of 10,000.

Frequent average accesses = 10.000 * the number of frequent users.
If we assume that 50% of users are frequent users then we have a baseline of 5,000.

Frequent users typically access the system no less then 5 times per day. We can calculate frequent users as:

Frequent users * accesses/day = 5 * 5,000, or 25,000.

Infrequent users are defined as those that access the system 2-3 times a day and represent another 25% of the user base.  Accessing the system twice per day.

In frequent users * accesses/day = 10,000* 25 or 2500 in frequent users each of which accesses the system 3 times, up a total of 7,500 accesses per day.

Rare users represent the renaming users. These users access the system a maximum of once a day, but typically only access the system every several days.

Rare accesses =

2,500 * 1 * .5 (total rare users, * total accesses * rarity of access, of once every other day)  For a total of 1,250 total accesses.


We can then estimate peak daily uses as:

  • Frequent accesses: 25,000
  • Infrequent accesses: 7,500
  • Rare accesses: 1,250
  • For a total of accesses per day of 33,750.


See Sizing for details of Access Gateway instance sizing.