[keycloak-user] SAML in a keycloak cluster

GKAZGKAS Dimitrios (TAN/MST) Dimitrios.Gkazgkas at tangoservices.lu
Tue Oct 18 10:57:18 EDT 2016


Hello Stian,

Thank you for your response.

Could you explain a bit more what you mean by saying “as Keycloak should see security.lu<http://security.lu>, not the internal addresses of the nodes”  ?  According to our understanding the Keycloak servers  in the internal network is behind reverse proxy and thus they do not know that they are called “security.lu”, they just know that they are either security1.lu<http://security1.lu> or security2.lu<http://security1.lu>.

When we tried to overwite the  Saml XML configuration (that client uses for integration) and put  the public address “security.lu” we again had the same ERROR in Keycloak logs “reason=invalid_destination” probably due to same root cause, the destination in the Saml AuthRequest was “Service.lu”, an address unknown for keycloack inside the private network.
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="

I  attach our HA configuration. We do not use the build in Load Balancer but an Appache Reverse Proxy which actually rewrites all internall URLs to Publics for outgoing trafiif and the oposite for the incoming traffic. Thus there is not much left in the page you sent to be configured in our Keycloak.

I hope I was clear. Any help would  be highly appreciated.

  Br

Dimitrios Gkazgkas
IT Solutions Architect

..............................................................................................



From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: 17 October 2016 20:41
To: GKAZGKAS Dimitrios (TAN/MST) <Dimitrios.Gkazgkas at tangoservices.lu>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] SAML in a keycloak cluster

Sounds like you haven't setup things properly as Keycloak should see security.lu<http://security.lu>, not the internal addresses of the nodes. Take a look at https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html

On 13 October 2016 at 19:14, GKAZGKAS Dimitrios (TAN/MST) <Dimitrios.Gkazgkas at tangoservices.lu<mailto:Dimitrios.Gkazgkas at tangoservices.lu>> wrote:
The response from the list on my initial mails was : After content filtering, the message was empty

So I try to send the same mail without CC and without attached



===========

Hello,

We are trying to configure a SAML authentication system in a keycloak cluster. First, with only one node , we are currently managing to authenticate in SAML way.

The architecture :
--> we have one apache reverse proxy with a public and unique endpoint for saml authentication. We can call the pubic url : security.lu<http://security.lu><http://security.lu>

--> the reverse proxy will load-balance all calls that come on security.lu<http://security.lu><http://security.lu> to two keycloak nodes : security1.lu<http://security1.lu><http://security1.lu> and security2.lu<http://security2.lu><http://security2.lu> ( the private urls) .

The issue that we have :
--> The client that integrates saml has a tomcat and integrates a keycloak-saml.xml file. Of course, in this file the configuration is refering to security1.lu<http://security1.lu><http://security1.lu> ( the private address as the keycloak node only knows its private address).
--> If we arrive during the load-balancing on the security1.lu<http://security1.lu><http://security1.lu> node, it will work. If I arrive on the second security2.lu<http://security2.lu><http://security2.lu> node, it will fail. When I dig a little bit more, it's because in fact, the SAMLRequest that is generated looks like this :

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://security1.lu<http://security1.lu>:8080/realms/xxx/protocol/saml" ForceAuthn="false" ID="ID_e563f50b-4ed8-454c-b938-0727d18ec08e" IsPassive="false" IssueInstant="2016-10-11T12:52:09.865Z" Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">xxxxx</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"></samlp:NameIDPolicy></samlp:AuthnRequest>

The error that I get is an invalid_destination because we receive this SAMLRequest on the security2.lu<http://security2.lu><http://security2.lu> node :

2016-10-11 14:52:10,152 WARN  [org.keycloak.events] (default task-2) type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, error=invalid_authn_request, reason=invalid_destination

>From what I see there is for saml client, a Clustering tab where I have currently nothing. Maybe I need to add some host nodes here ? But i don't know how to proceed.

Or is there any way to define both security1.lu<http://security1.lu><http://security1.lu> and security2.lu<http://security2.lu> on the Saml XML configuration that the client integrates?

We have set proxy-address-forwarding=true

Thank you for your help.

Kr,






  Br

Dimitrios Gkazgkas
IT Solutions Architect



________________________________

**** DISCLAIMER ****
http://www.tango.lu/maildisclaimer
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list