[keycloak-user] SAML in a keycloak cluster

GKAZGKAS Dimitrios (TAN/MST) Dimitrios.Gkazgkas at tangoservices.lu
Thu Oct 13 13:14:46 EDT 2016 

The response from the list on my initial mails was : After content filtering, the message was empty

So I try to send the same mail without CC and without attached



===========

Hello,

We are trying to configure a SAML authentication system in a keycloak cluster. First, with only one node , we are currently managing to authenticate in SAML way.

The architecture :
--> we have one apache reverse proxy with a public and unique endpoint for saml authentication. We can call the pubic url : security.lu<http://security.lu>

--> the reverse proxy will load-balance all calls that come on security.lu<http://security.lu> to two keycloak nodes : security1.lu<http://security1.lu> and security2.lu<http://security2.lu> ( the private urls) .

The issue that we have :
--> The client that integrates saml has a tomcat and integrates a keycloak-saml.xml file. Of course, in this file the configuration is refering to security1.lu<http://security1.lu> ( the private address as the keycloak node only knows its private address).
--> If we arrive during the load-balancing on the security1.lu<http://security1.lu> node, it will work. If I arrive on the second security2.lu<http://security2.lu> node, it will fail. When I dig a little bit more, it's because in fact, the SAMLRequest that is generated looks like this :

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://security1.lu<http://security1.lu>:8080/realms/xxx/protocol/saml" ForceAuthn="false" ID="ID_e563f50b-4ed8-454c-b938-0727d18ec08e" IsPassive="false" IssueInstant="2016-10-11T12:52:09.865Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">xxxxx</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"></samlp:NameIDPolicy></samlp:AuthnRequest>

The error that I get is an invalid_destination because we receive this SAMLRequest on the security2.lu<http://security2.lu> node :

2016-10-11 14:52:10,152 WARN  [org.keycloak.events] (default task-2) type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, error=invalid_authn_request, reason=invalid_destination

>From what I see there is for saml client, a Clustering tab where I have currently nothing. Maybe I need to add some host nodes here ? But i don't know how to proceed.

Or is there any way to define both security1.lu<http://security1.lu> and security2.lu on the Saml XML configuration that the client integrates?

We have set proxy-address-forwarding=true

Thank you for your help.

Kr,






  Br

Dimitrios Gkazgkas
IT Solutions Architect



________________________________

**** DISCLAIMER ****
http://www.tango.lu/maildisclaimer

More information about the keycloak-user mailing list