Please read chapter clustering, I think you need to set some headers
between balancer and kc nodes (x-foward-for, proto... etc)
El El mar, 12 jun. 2018 a las 05:14, Long Man <longman(a)barramandi.com>
escribió:
Thanks Ariel.
I found out the following, request host.domain.com:port must be identical
with the initial authentication.
Session cookie itself is not sufficient.
So yes, via a load balancer, it will work.
Unlike many other SSO product that uses cookie domain .domain.com to
share session cookies within the infrastructure, Keycloak does not alllow
that and take it one level higher, not even allowing difference of port
number.
Maybe future version can have option to relax this enforcement as it will
be beneficial should multi-site deployments want to have different
hostnames within the same domain with each site having own load balancers.
ie.
ap.sso.domain.com,
na.sso.domain.com,
eu.sso.domain.com
Thanks.
Regards,
BL
On Tue, Jun 12, 2018 at 5:44 AM, Ariel Carrera <carreraariel(a)gmail.com>
wrote:
> Have you got a load balancer in front of keycloaks ? Have you tested it
> hitting to the balancer? maybe the issuer is changing from one token to
> other.
>
> El El lun, 11 jun. 2018 a las 07:04, Long Man <longman(a)barramandi.com>
> escribió:
>
>> I have a pair of keycloak setup as cross datacenter HA
>> as per
https://www.keycloak.org/docs/4.0/server_installation/#setup
>>
>> All configuration data is replicated, and changes to session/config are
>> seen immediately in both instances console.
>>
>> However, a user login to /auth/realms/master/account/ cannot re-use the
>> same session between the instances.
>> 1) login to
http://host.domain.com:8080/auth/realms/master/account
>> (instance 1)
>> 2) go to
http://host.domain.com:9080/auth/realms/master/account
>> (instance 2)
>> prompted to login again although all the cookies are sent to instance2
>> (AUTH_SESSION_ID, KEYCLOAK_SESSION, KEYCLOAK_IDENTITY)
>>
>> Any help appreciated
>>
>> Thanks a bunch!
>>
>> Regards,
>> BL
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> --
> Ariel Carrera
>
--