Setting Rate Limits on the VMware Identity Manager Service

You can set limits on the number of login, launch, and WS-Fed requests that can be made per minute to the VMware Identity Manager service. When the limit is reached, subsequent requests are denied. Setting rate limits helps prevent overload of the system.

For example, if you set the rate limit for login requests to 100, the first 100 login requests per minute are accepted but requests 101-n are denied.

For a VMware Identity Manager cluster, the rate limit applies to each node in the cluster. For example, if you set the login request rate limit to 100 for a cluster that has NodeA, NodeB, and NodeC, NodeA can process 100 login requests per minute, NodeB can process 100 login requests per minute, and NodeC can process 100 login requests per minute. You cannot set separate login limits per node.

When the limit is reached and requests are denied, end users see the following error message:

No rate limits are set by default.

You set rate limits using a REST API. Use a REST client such as Postman to make the calls to the VMware Identity Manager service. The changes take effect in a few minutes.

Setting Rate Limits

Use this API to set rate limits for the VMware Identity Manager service.

Endpoint: https://hostname/SAAS/jersey/manager/api/system/tuning/resiliency/tenant/orgResiliencyConfiguration?tenantId=tenantId

Method: PUT

Description: Sets the maximum number of login, launch, and WS-Fed requests allowed per minute by the VMware Identity Manager service.

Headers:

Content-Type	`application/vnd.vmware.horizon.manager.system.tuning.resiliency.config+json;charset=UTF-8`
Accept	`application/vnd.vmware.horizon.manager.system.tuning.resiliency.config+json`
Authorization	`HZN cookie_value` To get the `cookie_value`, log into the VMware Identity Manager service as the tenant administrator, that is, the admin user that is created when you first install VMware Identity Manager, and obtain the value of the HZN cookie from your browser's cookie cache.

Path Parameters:

`hostname`	The fully-qualified domain name of the VMware Identity Manager service or load balancer.
`tenantId`	The tenantId of the VMware Identity Manager service. The tenant ID is the tenant name that appears in the top-right corner of the VMware Identity Manager console.

Request Body:

{
"config": {
         "rateLimitingDisabled": false,
         "rateLimits": {
             "login": {
                 "requestsPerMinute": n
             },
             "launch": {
                 "requestsPerMinute": n
             },
             "ws-fed": {
         "requestsPerMinute": n
         }
     }
 }
 }

Request Body Parameters

login requestsPerMinute	Specify the maximum number of login requests allowed per minute. Note: Take into account that multiple API requests might be needed for a login request to complete and each API call counts towards the rate limits. For example, password authentication involves two API calls, one to render the login page and the second to submit credentials.
launch requestsPerMinute	Specify the maximum number of launch requests allowed per minute.
ws-fed requestsPerMinute	Specify the maximum number of WS-Fed requests allowed per minute. WS-Fed rate limits are for Active Logon configurations only.

Viewing Rate Limits

Use this API to view rate limits that are set for the VMware Identity Manager service.

Endpoint: https://hostname/SAAS/jersey/manager/api/system/tuning/resiliency/tenant/orgResiliencyConfiguration?tenantId=tenantId

Method: GET

Description: Retrieves the rate limits that are currently set for login, launch, and WS-Fed requests for the VMware Identity Manager service.

Headers:

Authorization

HZN cookie_value

To get the cookie_value, log into the VMware Identity Manager service as the tenant administrator, that is, the admin user that is created when you first install VMware Identity Manager, and obtain the value of the HZN cookie from your browser's cookie cache.

Path Parameters:

`hostname`	The fully-qualified domain name of the VMware Identity Manager service or load balancer.
`tenantId`	The tenant Id of the VMware Identity Manager service. The tenant ID is the tenant name that appears in the top-right corner of the VMware Identity Manager console.

Sample Output:

{
"config": {
         "rateLimitingDisabled": false,
         "rateLimits": {
             "login": {
                 "requestsPerMinute": 100
             },
             "launch": {
                 "requestsPerMinute": 100
             },
             "ws-fed": {
         "requestsPerMinute": 100
         }
     }
 }
 }

login requestsPerMinute	The maximum number of login requests allowed per minute.
launch requestsPerMinute	The maximum number of launch requests allowed per minute.
ws-fed requestsPerMinute	The maximum number of WS-Fed requests allowed per minute. WS-Fed rate limits are for Active Logon configurations only.