Load Testing ADFS Websites

On a recent project, I was tasked with load testing a website which was currently under development. This article reviews some challenges encountered with ADFS authentication and the approach taken to overcome them.  

The website being developed utilized ADFS security which had already been implemented. I used Visual Studio to create a web performance test (WPT). Unfortunately, the freshly recorded WPT wouldn't successfully execute; it was failing on the authentication calls into ADFS. So much for a quick an easy solution, right? So it's off to Google to search for helpful articles. Ironically, the article that ended up being the most helpful was one written by Deliveron's Mike Douglas' which provided a portion of the approach that would be needed.  

Using Mike's suggestions, I converted my WPT to a coded WPT and stepped through the code using the debugger. Enlightening as this was, I was still unable to put my finger on what was happening; something was missing. I did learn that Visual Studio's WPT does not execute JavaScript.  Suspecting that there may be additional information being added via JavaScript, I used another tool to trace the calls and used a SAML token to interrogate the authentication process. This led to the discovery that some additional parameters were being added in a call back to ADFS. So, after some head scratching, teeth gnashing, warm caffeinated beverages and teamwork the code was corrected and I got the authentication portion of the coded WPT working. Lastly, I added the logic from Mike's article to check for the FEDAUTH cookie and bypass the 5 calls into ADFS. This needed to be done for the load test to execute successfully.  As Visual Studio scales up the number of users; sessions get reused, once the session is already authenticated, the web test will fail if it doesn't bypass the authentication calls and jump directly to the website content.  

In conclusion, ADFS authentication can prove challenging to overcome in load tests. ADFS implementations vary greatly from network to network, and in our case we had to get creative in discovering how to get around this. Chrome's Network profiler and SAML Tracer for Firefox were integral to learning how authentication was taking place.  Lastly, and in addition to leveraging some new tools. I was able to incorporate knowledge from a colleague to weave together a solution that got the job done.  

Happy Testing!