We don't currently support cross-DC replication very well and it is something we are looking at improving in 2017. We're tackling this in stages: 1. Dealing with invalidation caches cross-DC - this is already resolved and is done by using external Infinispan/JDG to replicate invalidation messages cross-DC. I don't think we have documentation on how to set this up yet though.

2. Support with sessions affinity to a specific DC - as long as all requests for a session is made to the same cluster everything should work already. This is simpler to setup for SAML than for OIDC due to OIDC backchannel requests from both browser and applications for the same session 3. Support session replication - this requires a fair bit of rework on how we do sessions, including during authentication flows, as currently there is to much updates to a session to fully replicate these cross DCs 4. Support without session affinity - allow requests to go to any DC for any session On 16 December 2016 at 20:23, Jacobs, Michael <Michael.Jacobs(a)nuance.com&gt; wrote: > Greetings, > > I am looking at setting up Cross-site replication for multiple Keycloak > clusters, possibly using DB replication. I found this question asked back > in May 2016, with no reply. > > http://lists.jboss.org/pipermail/keycloak-user/2016-May/006142.html > > Does anyone know the best way to set this up? > > > MJ > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Thanks for posting this, I will model it out. I assume this solution still requires DB replication to keep the underlying persisted data in sync. All that is replicating is the invalidation messages to keep the in-memory caches in sync, correct? MJ -----Original Message----- From: Marek Posolda [mailto:mposolda@redhat.com] Sent: Monday, December 19, 2016 1:23 AM To: stian(a)redhat.com; Jacobs, Michael <Michael.Jacobs(a)nuance.com&gt; Cc: keycloak-user(a)lists.jboss.org Subject: [EXTERNAL] Re: [keycloak-user] Cross-Site Replication On 19/12/16 09:49, Stian Thorgersen wrote: > We don't currently support cross-DC replication very well and it is > something we are looking at improving in 2017. We're tackling this in > stages: > > 1. Dealing with invalidation caches cross-DC - this is already > resolved and is done by using external Infinispan/JDG to replicate > invalidation messages cross-DC. I don't think we have documentation on > how to set this up yet though. I've added some notes for the basic setup https://urldefense.proofpoint. com/v2/url?u=https-3A__github.com_keycloak_keycloak_blob_ master_misc_CrossDataCenter.md&d=DgIC-g&c=djjh8EKwHtOepW4Bjau0lKhLlu- DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ykaRtxRlysj94q0l8Lu8&m= 50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s=ZCC1joWEUE4PfZt_-SAhN_ BCytxjKNDdnlCrw-RNT-I&e= . This is the setup for 1 external JDG server and with 2 Keycloak nodes, which are not in the cluster, but they both talk to the JDG server. Feel free to check it, just be aware of all the limitations related to sessions (points 2,3,4) . Marek > 2. Support with sessions affinity to a specific DC - as long as all > requests for a session is made to the same cluster everything should work > already. This is simpler to setup for SAML than for OIDC due to OIDC > backchannel requests from both browser and applications for the same session > 3. Support session replication - this requires a fair bit of rework on how > we do sessions, including during authentication flows, as currently there > is to much updates to a session to fully replicate these cross DCs > 4. Support without session affinity - allow requests to go to any DC for > any session > > On 16 December 2016 at 20:23, Jacobs, Michael <Michael.Jacobs(a)nuance.com > > wrote: > >> Greetings, >> >> I am looking at setting up Cross-site replication for multiple Keycloak >> clusters, possibly using DB replication. I found this question asked back >> in May 2016, with no reply. >> >> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists. jboss.org_pipermail_keycloak-2Duser_2016-2DMay_006142.html&d=DgIC-g&c= djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ ykaRtxRlysj94q0l8Lu8&m=50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s= srtVXCGiBzVH8qe714EJTC85zvlVAUUUzueaTpZYwAs&e= >> >> Does anyone know the best way to set this up? >> >> >> MJ >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists. jboss.org_mailman_listinfo_keycloak-2Duser&d=DgIC-g&c= djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ ykaRtxRlysj94q0l8Lu8&m=50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s= pm1gthZUvEyOoVFr9xS18pOZVqCSTIStLXU9Dm46Eac&e= >> > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists. jboss.org_mailman_listinfo_keycloak-2Duser&d=DgIC-g&c= djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ ykaRtxRlysj94q0l8Lu8&m=50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s= pm1gthZUvEyOoVFr9xS18pOZVqCSTIStLXU9Dm46Eac&e=

Thanks, we were able to get this working. However we are interested in avoiding JDG. If we disable the user and realm caches, can we just have 2 independent clusters each pointing at a database that that replicates via multi-master? *From:* Stian Thorgersen [mailto:sthorger@redhat.com] *Sent:* Tuesday, January 03, 2017 9:48 PM *To:* Jacobs, Michael <Michael.Jacobs(a)nuance.com&gt; *Cc:* Marek Posolda <mposolda(a)redhat.com>; keycloak-user(a)lists.jboss.org *Subject:* Re: [EXTERNAL] Re: [keycloak-user] Cross-Site Replication Yes, db replication is still required On 3 January 2017 at 18:21, Jacobs, Michael <Michael.Jacobs(a)nuance.com&gt; wrote: Thanks for posting this, I will model it out. I assume this solution still requires DB replication to keep the underlying persisted data in sync. All that is replicating is the invalidation messages to keep the in-memory caches in sync, correct? MJ -----Original Message----- From: Marek Posolda [mailto:mposolda@redhat.com] Sent: Monday, December 19, 2016 1:23 AM To: stian(a)redhat.com; Jacobs, Michael <Michael.Jacobs(a)nuance.com&gt; Cc: keycloak-user(a)lists.jboss.org Subject: [EXTERNAL] Re: [keycloak-user] Cross-Site Replication On 19/12/16 09:49, Stian Thorgersen wrote: > We don't currently support cross-DC replication very well and it is > something we are looking at improving in 2017. We're tackling this in > stages: > > 1. Dealing with invalidation caches cross-DC - this is already > resolved and is done by using external Infinispan/JDG to replicate > invalidation messages cross-DC. I don't think we have documentation on > how to set this up yet though. I've added some notes for the basic setup https://urldefense.proofpoint. com/v2/url?u=https-3A__github.com_keycloak_keycloak_blob_ master_misc_CrossDataCenter.md&d=DgIC-g&c=djjh8EKwHtOepW4Bjau0lKhLlu- DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ykaRtxRlysj94q0l8Lu8&m= 50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s=ZCC1joWEUE4PfZt_-SAhN_ BCytxjKNDdnlCrw-RNT-I&e= . This is the setup for 1 external JDG server and with 2 Keycloak nodes, which are not in the cluster, but they both talk to the JDG server. Feel free to check it, just be aware of all the limitations related to sessions (points 2,3,4) . Marek > 2. Support with sessions affinity to a specific DC - as long as all > requests for a session is made to the same cluster everything should work > already. This is simpler to setup for SAML than for OIDC due to OIDC > backchannel requests from both browser and applications for the same session > 3. Support session replication - this requires a fair bit of rework on how > we do sessions, including during authentication flows, as currently there > is to much updates to a session to fully replicate these cross DCs > 4. Support without session affinity - allow requests to go to any DC for > any session > > On 16 December 2016 at 20:23, Jacobs, Michael <Michael.Jacobs(a)nuance.com > > wrote: > >> Greetings, >> >> I am looking at setting up Cross-site replication for multiple Keycloak >> clusters, possibly using DB replication. I found this question asked back >> in May 2016, with no reply. >> >> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists. jboss.org_pipermail_keycloak-2Duser_2016-2DMay_006142.html&d=DgIC-g&c= djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ ykaRtxRlysj94q0l8Lu8&m=50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s= srtVXCGiBzVH8qe714EJTC85zvlVAUUUzueaTpZYwAs&e= >> >> Does anyone know the best way to set this up? >> >> >> MJ >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists. jboss.org_mailman_listinfo_keycloak-2Duser&d=DgIC-g&c= djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ ykaRtxRlysj94q0l8Lu8&m=50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s= pm1gthZUvEyOoVFr9xS18pOZVqCSTIStLXU9Dm46Eac&e= >> > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists. jboss.org_mailman_listinfo_keycloak-2Duser&d=DgIC-g&c= djjh8EKwHtOepW4Bjau0lKhLlu-DxM1dlgP0rrLsOzY&r=AGRIVkkrGet14litX3vdhf_ ykaRtxRlysj94q0l8Lu8&m=50RHm2Vt-LV-vgIORPfIfyuJign-H31DDtcYblp18zM&s= pm1gthZUvEyOoVFr9xS18pOZVqCSTIStLXU9Dm46Eac&e=