[keycloak-user] Logout in cluster environments

[Pulkit Gupta]

Hi Marek,

In continuation to the previous mail I can see that the SAML assertion is
getting deleted but the individual sessions within different applications
are getting maintained.
And thus the user is able to login back to the applications which he was
using.
But if he is opening a new application for the first time and as there is
no existing session and SAML assertion is already deleted he is correctly
asked to enter his credentials.
I think this will be helpful for you to pin point the issue.

Regards,
Pulkit

On Wed, Jan 25, 2017 at 1:59 PM, Pulkit Gupta <pulgupta at redhat.com> wrote:

> Thanks Marek,
>
> I worked more around this and now the sessions are getting replicated
> across the cluster for our applications.
>
> However still I can see that when we logout we are able to login back
> without entering the credentials.
> This happens most of the times but a few times we are logged out correctly.
>
> I am not sure why the logout is not ending the user session and why we are
> able to visit the protected resource without re authenticating.
> Can you please suggest something where can I look.
>
> Regards,
> Pulkit
>
>
>
> On Mon, Jan 23, 2017 at 2:04 PM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> I don't see anything in our documentation for Keycloak SAML adapter. Not
>> sure if we support clustering or not. Maybe someone else knows.
>>
>> But I think that if you have <distributable /> in your applications and
>> it still doesn't work, then feel free to create JIRA.
>>
>> Marek
>>
>> On 20/01/17 17:29, Pulkit Gupta wrote:
>>
>> We can't really move to OIDC as we have already used SAML for a number of
>> apps.
>> Is clustering not supported by SAML client adapters for Jboss?
>>
>> Regards,
>> Pulkit
>>
>>
>> On Fri, Jan 20, 2017 at 1:47 PM, Marek Posolda <mposolda at redhat.com>
>> wrote:
>>
>>> This is supposed to work for Keycloak OIDC clients and some docs is here
>>> https://keycloak.gitbooks.io/securing-client-applications-gu
>>> ide/content/topics/oidc/java/application-clustering.html .
>>>
>>> I don't know about Keycloak SAML clients. Is it an alternative for you
>>> to try OIDC instead of SAML?
>>>
>>> Marek
>>>
>>> On 20/01/17 08:19, Pulkit Gupta wrote:
>>>
>>>> Hi All,
>>>>
>>>> I am running multiple applications deployed on a Jboss cluster with
>>>> infinispan used as a cache and for distributed sessions.
>>>> I verified and can see that session replication is working for a normal
>>>> application where I can see the same session on all the servers in the
>>>> cluster and hence the application is working fine without session
>>>> stickiness.
>>>>
>>>> However when I am trying to use any Keycloak SAML client based
>>>> application
>>>> it is only working if the request is going to a particular box in the
>>>> cluster. On all the other boxes we are getting errors.
>>>> >From this behavior I am concluding that somehow for Keycloak based
>>>> applications sessions are not getting replicated.
>>>> Both these applications has <distributable /> tag in them so I am not
>>>> sure
>>>> why it is showing different behaviour.
>>>>
>>>> I know we can fix this by just enabling session stickiness but we want
>>>> the
>>>> sessions to be replicated as well.
>>>> This is because we want to make our set up more resilient. Also in case
>>>> of
>>>> logout when Keycloak is sending a back channel logout request it amy
>>>> send
>>>> it to any server in the cluster.
>>>> If the sessions are not properly replicated then the logout will fail as
>>>> the session will remain preserved on some other server in the cluster.
>>>>
>>>> Can someone please suggest me something what to try.
>>>>
>>>>
>>>
>>
>>
>> --
>> Thanks,
>> Pulkit
>> AMS
>>
>>
>>
>
>
> --
> Thanks,
> Pulkit
> AMS
>



-- 
Thanks,
Pulkit
AMS