About Access Gateway capacity planning and sizing

Determining required capacity in your Okta Access Gateway implementation is crucial to achieving performance.


Capacity planning concepts

Planning an Access Gateway deployment with performance in mind is the first step to success. A typical approach is to estimate the peak number of authentications and authorizations expected per application.

In general, the following areas impact performance:

  • Users - The total number of system users.
  • Accesses - The total number of times a user accesses a system per time period. Typically, we use 24 hours as a basic time interval. However, estimates over longer periods, weeks, even months, result in better estimations.
  • Peak authentication/authorization rates - Peak rates represent the highest expected level of user authentication/authorization in a given period. Peak rates represent the highest expected levels of access.
  • Average authentication/authorization rates - Average or sustained authentication/authorization rates represent the expected norm over the course of a given time period, such as a single day.

In addition, the total number of applications protected by Access Gateway factors in to capacity planning.

Estimating access rates

Average access rates represent a lower bound on how many accesses a given instance of Access Gateway needs to support. You can estimate average access rates by looking at the sets of users that access the system.

To estimate the average access rate, determine:

  • Total users: How many users does this instance serve in total? This value represents the total number of users who might ever access the gateway.
  • Estimated daily users: The percentage of users who use an application on a given day.
  • Estimated daily accesses: The number of times a specific user accesses an application on a specific day.
  • Page accesses for each session: For a given set of authenticated users, what is the expected number of page accesses during a single session?

With these concepts in mind, you can estimate an average authentication rate as:

  • Average users = Total users / Estimated daily users
  • Average accesses = Average users / Estimated daily accesses

Extrapolate overall accesses by examining:

  • Overall accesses = Average accesses * Page accesses.

Consider grouping users by the frequency that they access the system:

  • Frequent users: Frequent users access the system regularly, typically multiple times per day.
  • Infrequent users: Infrequent users access the system on occasion but with a much lower frequency.
  • Rare users: Rare users access the system a maximum of one to three times a week.

The following sample demonstrates how to produce an estimate:

  • Assume the total number of users is 10,000.
  • Frequent average accesses = 10,000 * the number of frequent users.

If we assume that 50% of users are frequent users, then we have a baseline of 5,000.

Frequent users typically access the system at least five times per day. Use this to calculate the number of frequent users as:

  • Frequent users * accesses/day = 5 * 5,000 = 25,000

Infrequent users access the system two or three times a day, and represent another 25% of the user base.

  • Infrequent users * accesses per day = 10,000 * 25 = 2500 in frequent users each of which accesses the system three times, up a total of 7,500 accesses per day.

Rare users represent the remaining 25% of the user base. These users access the system a maximum of once a day, but typically only access the system every several days.

Rare accesses = total rare users, * total accesses * rarity of access, of once every other day = 2,500 * 1 * .5 = 1,250 total accesses.

You can estimate peak daily uses as:

  • Frequent accesses: 25,000
  • Infrequent accesses: 7,500
  • Rare accesses: 1,250
  • This produces a total daily accesses of 33,750.


See Sizing for details of Access Gateway instance sizing.