Searching for users in the UI is very slow in Identity Cloud
The purpose of this article is to provide assistance if you encounter slow searches and performance issues when searching for identities in the UI (native IDM admin UI) in ForgeRock Identity Cloud.
1 reader recommends this article
Symptoms
You see slow searches, or perhaps failed searches, when searching for users in the native IDM admin UI.
If you examine network traffic using your browser's Developer Tools or capture a HAR file, you will see requests such as the following with slow request times (multiple seconds not milliseconds):Request URL: https://<tenant-env-fqdn>/openidm/managed/alpha_user?_queryFilter=userName%20sw%20%22ldapsearch%22%20OR%20givenName%20sw%20%22ldapsearch%22%20OR%20sn%20sw%20%22ldapsearch%22%20OR%20accountStatus%20sw%20%22ldapsearch%22&_pageSize=10&_totalPagedResultsPolicy=EXACT&_fields=userName%2CgivenName%2Csn%2CaccountStatus
You can capture a HAR file as described in: How do I create a HAR file for troubleshooting Identity Cloud?
Recent Changes
Selected or deselected the Searchable option for one or more properties in the Alpha_user or Bravo_user managed objects.
Causes
Properties that have the Searchable option set must also have a corresponding index to support the search. Indexes are configured by ForgeRock and cannot be changed.
If a property is searchable but doesn't have an associated index, you may experience slow searches and poor performance when searching for users.
When you search, the UI makes a call to the managed/alpha_user (or managed/bravo_user) endpoint and builds a queryFilter based on the first four properties that have the Searchable option enabled. If, for example, the Searchable option is removed from the description
property, the UI uses the next property in the list that has the Searchable option set (accountStatus
by default). Since this property is not indexed, you will see slow searches, and searches for large data sets may fail.
You can check which four properties are being used by reviewing the requests in the HAR file. The example request in the Symptoms section shows the query is using the userName
, givenName
, sn
and accountStatus
properties (fields=userName%2CgivenName%2Csn%2CaccountStatus).
Solution
This issue can be resolved by deselecting the Searchable option on properties that do not have an index. You can do this as follows:
- In the Identity Cloud admin UI, go to Native Consoles > Identity Management > Configure > Managed Objects > [User type Managed Object] and click the name of the required property.
- Click Show advanced options on the Details tab.
- Deselect the Searchable option and click Save.
You should make these changes to both the Alpha_user and Bravo_user managed objects in your Development environment, and then promote your changes.
Searchable properties
The following identity properties do have an index and are the only ones that should have the Searchable option selected:
- userName
- givenName
- sn
- telephoneNumber
- frIndexedString1 to frIndexedString5
- frIndexedMultivalued1 to frIndexedMultivalued5
- frIndexedDate1 to frIndexedDate5
- frIndexedInteger1 to frIndexedInteger5
The following properties commonly have the Searchable option selected but are not indexed. Review these properties to start with and deselect the Searchable option if it is selected:
- accountStatus
- profileImage
- description
- any custom_ properties
You can also check which properties are being used by reviewing the requests in a HAR file as noted above.