9:45 a.m.
Hello All,
We configured an external SAML based identity provider in a realm and. When user coming
back to Keycloak after successful authentication at external IdP Keycloak giving either
"Page expired" or "Not found serialized context in authenticationSession
" error.
The process of reproducing the issue is as follows:
1. Access the corresponding realm login page and then click on the identity provider
link to login using external IdP.
2. This will take us to the external identity provider. After successful authentication
at external IdP, the user will be redirected back to Keycloak instance with a valid
SAMLResponse.
3. Then there might be a chance that instead of either showing first-broker-login flow
or profile page you might be presented with 'page expired' error or 'Not found
serialized context in authenticationSession' error.
Some information about my environment:
1. Three Keycloak instances running in a standalone mode. All of them connected to common
DB and external Infinispan cluster. We are running Keycloak 3.2.1.Final
2. Three Infinispan instances are deployed as a single cluster. Our Keycloakc instances
connected to this external Infinispan cluster.
3. We don't have any session stickiness enabled at the load balancer
1. Below is the configuration we are using for autehtnicationSessions cache in
standalone.xml file.
<local-cache name="authenticationSessions">
<remote-store cache="authenticationSessions"
remote-servers="remote-cache" fetch-state="false"
passivation="false" preload="false" purge="false"
shared="true">
<property name="rawValues">
true
</property>
<property name="marshaller">
org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory
</property>
</remote-store>
</local-cache>
Some findings on this issue:
1. Since session stickiness is not there the first time when login page rendered it can
go to Keycloak node 1 and when user come back to Keycloak with valid SMAL Response request
can be forwarded to Keycloak node2. So requests can be spread across all Keycloak nodes.
2. The error log observed for 'Not found serialized context in
authenticationSession' message is: ERROR [org.keycloak.services] (default task-17)
KC-SERVICES0068: Not found serialized context in clientSession under note
'BROKERED_CONTEXT'
3. If we run only one single Keycloak node, we are not seeing this error.
Any of you seen a similar issue?
Thanks!
3:17 a.m.
I think that you may either need to:
1) Enable sticky sessions for your loadbalancer
2) use the distributed-cache instead of local-cache
3) Make some changes in remote-store so that it works for your use-case.
But this is not tested configuration by us. I suggest to rather do (1)
or (2) if possible.
BTV. If you want to doublecheck, you can try with 1 node only. If the
issue is not here with 1 node, but it is with 2 or more nodes, then you
surely need to do something mentioned above.
Marek
On 01/11/17 15:45, Narendra Kadali wrote:
Hello All,
We configured an external SAML based identity provider in a realm and. When user coming
back to Keycloak after successful authentication at external IdP Keycloak giving either
"Page expired" or "Not found serialized context in authenticationSession
" error.
The process of reproducing the issue is as follows:
1. Access the corresponding realm login page and then click on the identity provider
link to login using external IdP.
2. This will take us to the external identity provider. After successful
authentication at external IdP, the user will be redirected back to Keycloak instance with
a valid SAMLResponse.
3. Then there might be a chance that instead of either showing first-broker-login
flow or profile page you might be presented with 'page expired' error or 'Not
found serialized context in authenticationSession' error.
Some information about my environment:
1. Three Keycloak instances running in a standalone mode. All of them connected to common
DB and external Infinispan cluster. We are running Keycloak 3.2.1.Final
2. Three Infinispan instances are deployed as a single cluster. Our Keycloakc instances
connected to this external Infinispan cluster.
3. We don't have any session stickiness enabled at the load balancer
1. Below is the configuration we are using for autehtnicationSessions cache in
standalone.xml file.
<local-cache name="authenticationSessions">
<remote-store cache="authenticationSessions"
remote-servers="remote-cache" fetch-state="false"
passivation="false" preload="false" purge="false"
shared="true">
<property name="rawValues">
true
</property>
<property name="marshaller">
org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory
</property>
</remote-store>
</local-cache>
Some findings on this issue:
1. Since session stickiness is not there the first time when login page rendered it
can go to Keycloak node 1 and when user come back to Keycloak with valid SMAL Response
request can be forwarded to Keycloak node2. So requests can be spread across all Keycloak
nodes.
2. The error log observed for 'Not found serialized context in
authenticationSession' message is: ERROR [org.keycloak.services] (default task-17)
KC-SERVICES0068: Not found serialized context in clientSession under note
'BROKERED_CONTEXT'
3. If we run only one single Keycloak node, we are not seeing this error.
Any of you seen a similar issue?
Thanks!
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2622
days inactive
2627
days old
1 comments
2 participants
participants (2)
-
Marek Posolda -
Narendra Kadali