[keycloak-user] SAML in a keycloak cluster
Stian Thorgersen
sthorger at redhat.com
Tue Oct 18 14:12:24 EDT 2016
Please look at the documentation. It explains this.
On 18 October 2016 at 16:57, GKAZGKAS Dimitrios (TAN/MST) <
Dimitrios.Gkazgkas at tangoservices.lu> wrote:
> Hello Stian,
>
>
>
> Thank you for your response.
>
>
>
> Could you explain a bit more what you mean by saying “*as Keycloak should
> see security.lu <http://security.lu>, not the internal addresses of the
> nodes*” ? According to our understanding the Keycloak servers in the
> internal network is behind reverse proxy and thus they do not know that
> they are called “security.lu”, they just know that they are either
> security1.lu or security2.lu <http://security1.lu>.
>
>
>
> When we tried to overwite the Saml XML configuration (that client uses
> for integration) and put the public address “security.lu” we again had
> the same ERROR in Keycloak logs “reason=invalid_destination” probably due
> to same root cause, the destination in the Saml AuthRequest was
> “Service.lu”, an address unknown for keycloack inside the private network.
>
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> Destination="
>
>
>
> I attach our HA configuration. We do not use the build in Load Balancer
> but an Appache Reverse Proxy which actually rewrites all internall URLs to
> Publics for outgoing trafiif and the oposite for the incoming traffic. Thus
> there is not much left in the page you sent to be configured in our
> Keycloak.
>
>
>
> I hope I was clear. Any help would be highly appreciated.
>
>
>
> Br
>
>
>
> Dimitrios Gkazgkas
>
> IT Solutions Architect
>
> ............................................................
> ..................................
>
>
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* 17 October 2016 20:41
> *To:* GKAZGKAS Dimitrios (TAN/MST) <Dimitrios.Gkazgkas at tangoservices.lu>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] SAML in a keycloak cluster
>
>
>
> Sounds like you haven't setup things properly as Keycloak should see
> security.lu, not the internal addresses of the nodes. Take a look at
> https://keycloak.gitbooks.io/server-installation-and-
> configuration/content/topics/clustering/load-balancer.html
>
>
>
> On 13 October 2016 at 19:14, GKAZGKAS Dimitrios (TAN/MST) <
> Dimitrios.Gkazgkas at tangoservices.lu> wrote:
>
> The response from the list on my initial mails was : After content
> filtering, the message was empty
>
> So I try to send the same mail without CC and without attached
>
>
>
> ===========
>
> Hello,
>
> We are trying to configure a SAML authentication system in a keycloak
> cluster. First, with only one node , we are currently managing to
> authenticate in SAML way.
>
> The architecture :
> --> we have one apache reverse proxy with a public and unique endpoint for
> saml authentication. We can call the pubic url : security.lu<
> http://security.lu>
>
> --> the reverse proxy will load-balance all calls that come on security.lu
> <http://security.lu> to two keycloak nodes : security1.lu<
> http://security1.lu> and security2.lu<http://security2.lu> ( the private
> urls) .
>
> The issue that we have :
> --> The client that integrates saml has a tomcat and integrates a
> keycloak-saml.xml file. Of course, in this file the configuration is
> refering to security1.lu<http://security1.lu> ( the private address as
> the keycloak node only knows its private address).
> --> If we arrive during the load-balancing on the security1.lu<
> http://security1.lu> node, it will work. If I arrive on the second
> security2.lu<http://security2.lu> node, it will fail. When I dig a little
> bit more, it's because in fact, the SAMLRequest that is generated looks
> like this :
>
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> Destination="http://security1.lu<http://security1.lu>:8080/realms/xxx/protocol/saml"
> ForceAuthn="false" ID="ID_e563f50b-4ed8-454c-b938-0727d18ec08e"
> IsPassive="false" IssueInstant="2016-10-11T12:52:09.865Z"
> Version="2.0"><saml:Issuer xmlns:saml="urn:oasis:names:
> tc:SAML:2.0:assertion">xxxxx</saml:Issuer><samlp:NameIDPolicy
> AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:
> persistent"></samlp:NameIDPolicy></samlp:AuthnRequest>
>
> The error that I get is an invalid_destination because we receive this
> SAMLRequest on the security2.lu<http://security2.lu> node :
>
> 2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2)
> type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx,
> error=invalid_authn_request, reason=invalid_destination
>
> >From what I see there is for saml client, a Clustering tab where I have
> currently nothing. Maybe I need to add some host nodes here ? But i don't
> know how to proceed.
>
> Or is there any way to define both security1.lu<http://security1.lu> and
> security2.lu on the Saml XML configuration that the client integrates?
>
> We have set proxy-address-forwarding=true
>
> Thank you for your help.
>
> Kr,
>
>
>
>
>
>
> Br
>
> Dimitrios Gkazgkas
> IT Solutions Architect
>
>
>
> ________________________________
>
> **** DISCLAIMER ****
> http://www.tango.lu/maildisclaimer
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
More information about the keycloak-user
mailing list