[keycloak-user] Cross-Site Replication

Marek Posolda mposolda at redhat.com
Mon Dec 19 04:23:29 EST 2016


On 19/12/16 09:49, Stian Thorgersen wrote:
> We don't currently support cross-DC replication very well and it is
> something we are looking at improving in 2017. We're tackling this in
> stages:
>
> 1. Dealing with invalidation caches cross-DC - this is already resolved and
> is done by using external Infinispan/JDG to replicate invalidation messages
> cross-DC. I don't think we have documentation on how to set this up yet
> though.
I've added some notes for the basic setup 
https://github.com/keycloak/keycloak/blob/master/misc/CrossDataCenter.md 
. This is the setup for 1 external JDG server and with 2 Keycloak nodes, 
which are not in the cluster, but they both talk to the JDG server. Feel 
free to check it, just be aware of all the limitations related to 
sessions (points 2,3,4) .

Marek
> 2. Support with sessions affinity to a specific DC - as long as all
> requests for a session is made to the same cluster everything should work
> already. This is simpler to setup for SAML than for OIDC due to OIDC
> backchannel requests from both browser and applications for the same session
> 3. Support session replication - this requires a fair bit of rework on how
> we do sessions, including during authentication flows, as currently there
> is to much updates to a session to fully replicate these cross DCs
> 4. Support without session affinity - allow requests to go to any DC for
> any session
>
> On 16 December 2016 at 20:23, Jacobs, Michael <Michael.Jacobs at nuance.com>
> wrote:
>
>> Greetings,
>>
>> I am looking at setting up Cross-site replication for multiple Keycloak
>> clusters, possibly using DB replication.  I found this question asked back
>> in May 2016, with no reply.
>>
>> http://lists.jboss.org/pipermail/keycloak-user/2016-May/006142.html
>>
>> Does anyone know the best way to set this up?
>>
>>
>> MJ
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




More information about the keycloak-user mailing list