You can set limits on the number of login, launch, and WS-Fed requests that can be made per minute to the VMware Identity Manager service. When the limit is reached, subsequent requests are denied. Setting rate limits helps prevent overload of the system.

For example, if you set the rate limit for login requests to 100, the first 100 login requests per minute are accepted but requests 101-n are denied.

For a VMware Identity Manager cluster, the rate limit applies to each node in the cluster. For example, if you set the login request rate limit to 100 for a cluster that has NodeA, NodeB, and NodeC, NodeA can process 100 login requests per minute, NodeB can process 100 login requests per minute, and NodeC can process 100 login requests per minute. You cannot set separate login limits per node.

When the limit is reached and requests are denied, end users see the following error message:

Login screen error message


No rate limits are set by default.

You set rate limits using a REST API. Use a REST client such as Postman to make the calls to the VMware Identity Manager service. The changes take effect in a few minutes.

Setting Rate Limits

Use this API to set rate limits for the VMware Identity Manager service.

Endpoint: https://hostname/SAAS/jersey/manager/api/system/tuning/resiliency/tenant/orgResiliencyConfiguration?tenantId=tenantId

Method: PUT

Description: Sets the maximum number of login, launch, and WS-Fed requests allowed per minute by the VMware Identity Manager service.

Headers:

Content-Type

application/vnd.vmware.horizon.manager.system.tuning.resiliency.config+json;charset=UTF-8

Accept

application/vnd.vmware.horizon.manager.system.tuning.resiliency.config+json

Authorization

HZN cookie_value

To get the cookie_value, log into the VMware Identity Manager service as the tenant administrator, that is, the admin user that is created when you first install VMware Identity Manager, and obtain the value of the HZN cookie from your browser's cookie cache.

Path Parameters:

hostname

The fully-qualified domain name of the VMware Identity Manager service or load balancer.

tenantId

The tenantId of the VMware Identity Manager service. The tenant ID is the tenant name that appears in the top-right corner of the VMware Identity Manager console.

Request Body:

{
"config": {
         "rateLimitingDisabled": false,
         "rateLimits": {
             "login": {
                 "requestsPerMinute": n
             },
             "launch": {
                 "requestsPerMinute": n
             },
             "ws-fed": {
         "requestsPerMinute": n
         }
     }
 }
 }

Request Body Parameters

login requestsPerMinute

Specify the maximum number of login requests allowed per minute.

Note:

Take into account that multiple API requests might be needed for a login request to complete and each API call counts towards the rate limits. For example, password authentication involves two API calls, one to render the login page and the second to submit credentials.

launch requestsPerMinute

Specify the maximum number of launch requests allowed per minute.

ws-fed requestsPerMinute

Specify the maximum number of WS-Fed requests allowed per minute. WS-Fed rate limits are for Active Logon configurations only.

Viewing Rate Limits

Use this API to view rate limits that are set for the VMware Identity Manager service.

Endpoint: https://hostname/SAAS/jersey/manager/api/system/tuning/resiliency/tenant/orgResiliencyConfiguration?tenantId=tenantId

Method: GET

Description: Retrieves the rate limits that are currently set for login, launch, and WS-Fed requests for the VMware Identity Manager service.

Headers:

Authorization

HZN cookie_value

To get the cookie_value, log into the VMware Identity Manager service as the tenant administrator, that is, the admin user that is created when you first install VMware Identity Manager, and obtain the value of the HZN cookie from your browser's cookie cache.

Path Parameters:

hostname

The fully-qualified domain name of the VMware Identity Manager service or load balancer.

tenantId

The tenant Id of the VMware Identity Manager service. The tenant ID is the tenant name that appears in the top-right corner of the VMware Identity Manager console.

Sample Output:

{
"config": {
         "rateLimitingDisabled": false,
         "rateLimits": {
             "login": {
                 "requestsPerMinute": 100
             },
             "launch": {
                 "requestsPerMinute": 100
             },
             "ws-fed": {
         "requestsPerMinute": 100
         }
     }
 }
 }

login requestsPerMinute

The maximum number of login requests allowed per minute.

launch requestsPerMinute

The maximum number of launch requests allowed per minute.

ws-fed requestsPerMinute

The maximum number of WS-Fed requests allowed per minute. WS-Fed rate limits are for Active Logon configurations only.