Thanks for posting this, I will model it out. I assume this solution still requires DB
replication to keep the underlying persisted data in sync. All that is replicating is the
invalidation messages to keep the in-memory caches in sync, correct?
MJ
-----Original Message-----
From: Marek Posolda [mailto:mposolda@redhat.com]
Sent: Monday, December 19, 2016 1:23 AM
To: stian(a)redhat.com; Jacobs, Michael <Michael.Jacobs(a)nuance.com>
Cc: keycloak-user(a)lists.jboss.org
Subject: [EXTERNAL] Re: [keycloak-user] Cross-Site Replication
On 19/12/16 09:49, Stian Thorgersen wrote:
We don't currently support cross-DC replication very well and it
is
something we are looking at improving in 2017. We're tackling this in
stages:
1. Dealing with invalidation caches cross-DC - this is already
resolved and is done by using external Infinispan/JDG to replicate
invalidation messages cross-DC. I don't think we have documentation on
how to set this up yet though.
I've added some notes for the basic setup
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_keycloak_...
. This is the setup for 1 external JDG server and with 2 Keycloak nodes, which are not in
the cluster, but they both talk to the JDG server. Feel free to check it, just be aware of
all the limitations related to sessions (points 2,3,4) .
Marek
2. Support with sessions affinity to a specific DC - as long as all
requests for a session is made to the same cluster everything should work
already. This is simpler to setup for SAML than for OIDC due to OIDC
backchannel requests from both browser and applications for the same session
3. Support session replication - this requires a fair bit of rework on how
we do sessions, including during authentication flows, as currently there
is to much updates to a session to fully replicate these cross DCs
4. Support without session affinity - allow requests to go to any DC for
any session
On 16 December 2016 at 20:23, Jacobs, Michael <Michael.Jacobs(a)nuance.com>
wrote:
> Greetings,
>
> I am looking at setting up Cross-site replication for multiple Keycloak
> clusters, possibly using DB replication. I found this question asked back
> in May 2016, with no reply.
>
>
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.jboss.org_piper...
>
> Does anyone know the best way to set this up?
>
>
> MJ
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...