[keycloak-user] Logout in cluster environments

Pulkit Gupta pulgupta at redhat.com
Fri Jan 20 11:29:23 EST 2017


We can't really move to OIDC as we have already used SAML for a number of
apps.
Is clustering not supported by SAML client adapters for Jboss?

Regards,
Pulkit


On Fri, Jan 20, 2017 at 1:47 PM, Marek Posolda <mposolda at redhat.com> wrote:

> This is supposed to work for Keycloak OIDC clients and some docs is here
> https://keycloak.gitbooks.io/securing-client-applications-gu
> ide/content/topics/oidc/java/application-clustering.html .
>
> I don't know about Keycloak SAML clients. Is it an alternative for you to
> try OIDC instead of SAML?
>
> Marek
>
> On 20/01/17 08:19, Pulkit Gupta wrote:
>
>> Hi All,
>>
>> I am running multiple applications deployed on a Jboss cluster with
>> infinispan used as a cache and for distributed sessions.
>> I verified and can see that session replication is working for a normal
>> application where I can see the same session on all the servers in the
>> cluster and hence the application is working fine without session
>> stickiness.
>>
>> However when I am trying to use any Keycloak SAML client based application
>> it is only working if the request is going to a particular box in the
>> cluster. On all the other boxes we are getting errors.
>> >From this behavior I am concluding that somehow for Keycloak based
>> applications sessions are not getting replicated.
>> Both these applications has <distributable /> tag in them so I am not sure
>> why it is showing different behaviour.
>>
>> I know we can fix this by just enabling session stickiness but we want the
>> sessions to be replicated as well.
>> This is because we want to make our set up more resilient. Also in case of
>> logout when Keycloak is sending a back channel logout request it amy send
>> it to any server in the cluster.
>> If the sessions are not properly replicated then the logout will fail as
>> the session will remain preserved on some other server in the cluster.
>>
>> Can someone please suggest me something what to try.
>>
>>
>


-- 
Thanks,
Pulkit
AMS


More information about the keycloak-user mailing list