Please look at the documentation. It explains this.
On 18 October 2016 at 16:57, GKAZGKAS Dimitrios (TAN/MST) <
Thank you for your response.
Could you explain a bit more what you mean by saying “*as Keycloak should
see security.lu <http://security.lu>
;, not the internal addresses of the
nodes*” ? According to our understanding the Keycloak servers in the
internal network is behind reverse proxy and thus they do not know that
they are called “security.lu”, they just know that they are either
security1.lu or security2.lu <http://security1.lu>
When we tried to overwite the Saml XML configuration (that client uses
for integration) and put the public address “security.lu” we again had
the same ERROR in Keycloak logs “reason=invalid_destination” probably due
to same root cause, the destination in the Saml AuthRequest was
“Service.lu”, an address unknown for keycloack inside the private network.
I attach our HA configuration. We do not use the build in Load Balancer
but an Appache Reverse Proxy which actually rewrites all internall URLs to
Publics for outgoing trafiif and the oposite for the incoming traffic. Thus
there is not much left in the page you sent to be configured in our
I hope I was clear. Any help would be highly appreciated.
IT Solutions Architect
*From:* Stian Thorgersen [mailto:email@example.com]
*Sent:* 17 October 2016 20:41
*To:* GKAZGKAS Dimitrios (TAN/MST) <Dimitrios.Gkazgkas(a)tangoservices.lu>
*Subject:* Re: [keycloak-user] SAML in a keycloak cluster
Sounds like you haven't setup things properly as Keycloak should see
security.lu, not the internal addresses of the nodes. Take a look at
On 13 October 2016 at 19:14, GKAZGKAS Dimitrios (TAN/MST) <
The response from the list on my initial mails was : After content
filtering, the message was empty
So I try to send the same mail without CC and without attached
We are trying to configure a SAML authentication system in a keycloak
cluster. First, with only one node , we are currently managing to
authenticate in SAML way.
The architecture :
--> we have one apache reverse proxy with a public and unique endpoint for
saml authentication. We can call the pubic url : security.lu<
--> the reverse proxy will load-balance all calls that come on security.lu
to two keycloak nodes : security1.lu<
and security2.lu<http://security2.lu> ( the private
The issue that we have :
--> The client that integrates saml has a tomcat and integrates a
keycloak-saml.xml file. Of course, in this file the configuration is
refering to security1.lu<http://security1.lu> ( the private address as
the keycloak node only knows its private address).
--> If we arrive during the load-balancing on the security1.lu<
node, it will work. If I arrive on the second
security2.lu<http://security2.lu> node, it will fail. When I dig a little
bit more, it's because in fact, the SAMLRequest that is generated looks
like this :
The error that I get is an invalid_destination because we receive this
SAMLRequest on the security2.lu<http://security2.lu> node :
2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2)
type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx,
>From what I see there is for saml client, a Clustering tab where I have
currently nothing. Maybe I need to add some host nodes here ? But i don't
know how to proceed.
Or is there any way to define both security1.lu<http://security1.lu> and
security2.lu on the Saml XML configuration that the client integrates?
We have set proxy-address-forwarding=true
Thank you for your help.
IT Solutions Architect
**** DISCLAIMER ****
keycloak-user mailing list