7:54 a.m.
Hi,
I am in the process of setting up a cluster of keycloak instances, all of which are
accessible by a single url (fronted by a reverse proxy or an alias). So when a client
application communicates with the single url using either SAML or Openid Connect, how do
we ensure that all the keycloak instances use the same set of certificates/keys to
sign/encrypt the SAML/OpenID Connect response?
Noticed that we can generate a new set of keys for each realm within Keycloak instance but
they are different across different instances. Is there a way of using the same
certificate/keys across all the instances?
Appreciate any input.
Thanks,Raghu
8:32 a.m.
On 1/17/2015 8:54 AM, prab rrrr wrote:
Hi,
I am in the process of setting up a cluster of keycloak instances, all
of which are accessible by a single url (fronted by a reverse proxy or
an alias). So when a client application communicates with the single url
using either SAML or Openid Connect, how do we ensure that all the
keycloak instances use the same set of certificates/keys to sign/encrypt
the SAML/OpenID Connect response?
Noticed that we can generate a new set of keys for each realm within
Keycloak instance but they are different across different instances. Is
there a way of using the same certificate/keys across all the instances?
THat shouldn't be the case. There should be one key pair per realm.
Sounds like you aren't sharing the same database.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:08 p.m.
Hi Bill - Checked it once again. It appears that the certificate is changing but the key
is same across the keycloak instances as you mentioned. Not sure where the certificate
will come into picture but I did further testing and can confirm that everything works
the way it is supposed to across two instances on two hosts.
But is there any way we can upload our own certificate/key to Keycloak instead of having
Keycloak generate it? Based on our client requirements, we may need to support different
key strengths.
Thanks,Raghu
From: Bill Burke <bburke(a)redhat.com>
To: keycloak-user(a)lists.jboss.org
Sent: Saturday, January 17, 2015 9:32 AM
Subject: Re: [keycloak-user] Signing Keys in a cluster
On 1/17/2015 8:54 AM, prab rrrr wrote:
Hi,
I am in the process of setting up a cluster of keycloak instances, all
of which are accessible by a single url (fronted by a reverse proxy or
an alias). So when a client application communicates with the single url
using either SAML or Openid Connect, how do we ensure that all the
keycloak instances use the same set of certificates/keys to sign/encrypt
the SAML/OpenID Connect response?
Noticed that we can generate a new set of keys for each realm within
Keycloak instance but they are different across different instances. Is
there a way of using the same certificate/keys across all the instances?
THat shouldn't be the case. There should be one key pair per realm.
Sounds like you aren't sharing the same database.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3643
days inactive
3644
days old
2 comments
2 participants
participants (2)
-
Bill Burke -
prab rrrr