9:45 a.m.
Hello All,
We configured an external SAML based identity provider in a realm and. When user coming
back to Keycloak after successful authentication at external IdP Keycloak giving either
"Page expired" or "Not found serialized context in authenticationSession
" error.
The process of reproducing the issue is as follows:
1. Access the corresponding realm login page and then click on the identity provider
link to login using external IdP.
2. This will take us to the external identity provider. After successful authentication
at external IdP, the user will be redirected back to Keycloak instance with a valid
SAMLResponse.
3. Then there might be a chance that instead of either showing first-broker-login flow
or profile page you might be presented with 'page expired' error or 'Not found
serialized context in authenticationSession' error.
Some information about my environment:
1. Three Keycloak instances running in a standalone mode. All of them connected to common
DB and external Infinispan cluster. We are running Keycloak 3.2.1.Final
2. Three Infinispan instances are deployed as a single cluster. Our Keycloakc instances
connected to this external Infinispan cluster.
3. We don't have any session stickiness enabled at the load balancer
1. Below is the configuration we are using for autehtnicationSessions cache in
standalone.xml file.
<local-cache name="authenticationSessions">
<remote-store cache="authenticationSessions"
remote-servers="remote-cache" fetch-state="false"
passivation="false" preload="false" purge="false"
shared="true">
<property name="rawValues">
true
</property>
<property name="marshaller">
org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory
</property>
</remote-store>
</local-cache>
Some findings on this issue:
1. Since session stickiness is not there the first time when login page rendered it can
go to Keycloak node 1 and when user come back to Keycloak with valid SMAL Response request
can be forwarded to Keycloak node2. So requests can be spread across all Keycloak nodes.
2. The error log observed for 'Not found serialized context in
authenticationSession' message is: ERROR [org.keycloak.services] (default task-17)
KC-SERVICES0068: Not found serialized context in clientSession under note
'BROKERED_CONTEXT'
3. If we run only one single Keycloak node, we are not seeing this error.
Any of you seen a similar issue?
Thanks!