About Access Gateway capacity planning and sizing

Determining required capacity in your Okta Access Gateway implementation is crucial to achieving performance.


Capacity planning concepts

Planning an Access Gateway deployment with performance in mind is the first step to success. A typical approach is to estimate the peak number of authentications and authorizations expected per application.

In general, the following areas impact performance:

  • Users - The total number of system users.
  • Accesses - The total number of times a user accesses a system per time period. Typically, we use 24 hours as a basic time interval. However, estimates over longer periods, weeks, even months, result in better estimations.
  • Peak authentication/authorization rates - Peak rates represent the highest expected level of user authentication/authorization in a given period. Peak rates represent the highest expected levels of access.
  • Average authentication/authorization rates - Average or sustained authentication/authorization rates represent the expected norm over the course of a given time period, such as a single day.

In addition, the total number of applications protected by Access Gateway factors in to capacity planning.

Estimating access rates

Average access rates represent a general lower bound on how many accesses a given instance of Access Gateway needs to support. We can estimate average access rates by looking at sets of users that access the system.

To estimate the average access rate, determine:

  • Total users - How many users does this instance serve in total?. Total users represents all users who might ever access the gateway.
  • Estimated daily users - The percentage of users who actually use an application in a given day.
  • Estimated daily accesses - The number of times a given user accesses an application in a given day.
  • Page accesses per sign in - For a given set of authenticated users, how many page accesses are expected during a single session?

With these concepts in mind we can estimate an average authentication rate as:

Average users = Total users / Estimated daily users

Average accesses = Average users / Estimated daily accesses

We can then extrapolate overall accesses by examining:

Overall accesses = Average accesses * Page accesses.

For example, consider three groups of users, each accessing the system, but at different levels.

  • Frequent users - Frequent users access the system regularly, typically multiple times per day.
  • Infrequent users - Infrequent users access the system on occasion but with a much lower frequency.
  • Rare users - Rare users access the system a maximum of 1-3 times a week.

For example:

Assume the total number of users as 10,000.

Frequent average accesses = 10,000 * the number of frequent users

If we assume that 50% of users are frequent users, then we have a baseline of 5,000.

Frequent users typically access the system at least 5 times per day. We can calculate frequent users as:

Frequent users * accesses/day = 5 * 5,000, or 25,000.

Infrequent users are defined as those that access the system 2-3 times a day and represent another 25% of the user base. Accessing the system twice per day.

Infrequent users * accesses per day = 10,000 * 25 = 2500 in frequent users each of which accesses the system three times, up a total of 7,500 accesses per day.

Rare users represent the remaining 25% of the user base. These users access the system a maximum of once a day, but typically only access the system every several days.

Rare accesses =

2,500 * 1 * .5 (total rare users, * total accesses * rarity of access, of once every other day) For a total of 1,250 total accesses.

We can then estimate peak daily uses as:

  • Frequent accesses: 25,000
  • Infrequent accesses: 7,500
  • Rare accesses: 1,250
  • For a total of accesses per day of 33,750.


See Sizing for details of Access Gateway instance sizing.