Solutions
ForgeRock Identity Cloud

Searching for users in the UI is very slow in Identity Cloud

Last updated Mar 2, 2023

The purpose of this article is to provide assistance if you encounter slow searches and performance issues when searching for identities in the UI (native IDM admin UI) in ForgeRock Identity Cloud.


1 reader recommends this article

Symptoms

You see slow searches, or perhaps failed searches, when searching for users in the native IDM admin UI.

If you examine network traffic using your browser's Developer Tools or capture a HAR file, you will see requests such as the following with slow request times (multiple seconds not milliseconds):Request URL: https://<tenant-env-fqdn>/openidm/managed/alpha_user?_queryFilter=userName%20sw%20%22ldapsearch%22%20OR%20givenName%20sw%20%22ldapsearch%22%20OR%20sn%20sw%20%22ldapsearch%22%20OR%20accountStatus%20sw%20%22ldapsearch%22&_pageSize=10&_totalPagedResultsPolicy=EXACT&_fields=userName%2CgivenName%2Csn%2CaccountStatus

You can capture a HAR file as described in: How do I create a HAR file for troubleshooting Identity Cloud?

Recent Changes

Selected or deselected the Searchable option for one or more properties in the Alpha_user or Bravo_user managed objects.

Causes

Properties that have the Searchable option set must also have a corresponding index to support the search. Indexes are configured by ForgeRock and cannot be changed.

If a property is searchable but doesn't have an associated index, you may experience slow searches and poor performance when searching for users. 

When you search, the UI makes a call to the managed/alpha_user (or managed/bravo_user) endpoint and builds a queryFilter based on the first four properties that have the Searchable option enabled. If, for example, the Searchable option is removed from the description property, the UI uses the next property in the list that has the Searchable option set (accountStatus by default). Since this property is not indexed, you will see slow searches, and searches for large data sets may fail.

You can check which four properties are being used by reviewing the requests in the HAR file. The example request in the Symptoms section shows the query is using the userName, givenName, sn and accountStatus properties (fields=userName%2CgivenName%2Csn%2CaccountStatus).

Solution

This issue can be resolved by deselecting the Searchable option on properties that do not have an index. You can do this as follows:

  1. In the Identity Cloud admin UI, go to Native Consoles > Identity Management > Configure > Managed Objects > [User type Managed Object] and click the name of the required property.
  2. Click Show advanced options on the Details tab.
  3. Deselect the Searchable option and click Save.

You should make these changes to both the Alpha_user and Bravo_user managed objects in your Development environment, and then promote your changes.

Searchable properties

The following identity properties do have an index and are the only ones that should have the Searchable option selected:

  • userName
  • givenName
  • sn
  • mail
  • telephoneNumber
  • frIndexedString1 to frIndexedString5
  • frIndexedMultivalued1 to frIndexedMultivalued5
  • frIndexedDate1 to frIndexedDate5
  • frIndexedInteger1 to frIndexedInteger5

The following properties commonly have the Searchable option selected but are not indexed. Review these properties to start with and deselect the Searchable option if it is selected:

  • accountStatus
  • profileImage
  • description
  • any custom_ properties

You can also check which properties are being used by reviewing the requests in a HAR file as noted above.

See Also

Constrain identity queries in the UI


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.