Sounds like you haven't setup things properly as Keycloak should see
security.lu, not the internal addresses of the nodes. Take a look at
On 13 October 2016 at 19:14, GKAZGKAS Dimitrios (TAN/MST) <
The response from the list on my initial mails was : After content
filtering, the message was empty
So I try to send the same mail without CC and without attached
We are trying to configure a SAML authentication system in a keycloak
cluster. First, with only one node , we are currently managing to
authenticate in SAML way.
The architecture :
--> we have one apache reverse proxy with a public and unique endpoint for
saml authentication. We can call the pubic url : security.lu<
--> the reverse proxy will load-balance all calls that come on security.lu
to two keycloak nodes : security1.lu<
and security2.lu<http://security2.lu> ( the private
The issue that we have :
--> The client that integrates saml has a tomcat and integrates a
keycloak-saml.xml file. Of course, in this file the configuration is
refering to security1.lu<http://security1.lu> ( the private address as
the keycloak node only knows its private address).
--> If we arrive during the load-balancing on the security1.lu<
node, it will work. If I arrive on the second
security2.lu<http://security2.lu> node, it will fail. When I dig a little
bit more, it's because in fact, the SAMLRequest that is generated looks
like this :
The error that I get is an invalid_destination because we receive this
SAMLRequest on the security2.lu<http://security2.lu> node :
2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2)
type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx,
>From what I see there is for saml client, a Clustering tab where I have
currently nothing. Maybe I need to add some host nodes here ? But i don't
know how to proceed.
Or is there any way to define both security1.lu<http://security1.lu> and
security2.lu on the Saml XML configuration that the client integrates?
We have set proxy-address-forwarding=true
Thank you for your help.
IT Solutions Architect
**** DISCLAIMER ****
keycloak-user mailing list