[keycloak-user] Logout in cluster environments

Pulkit Gupta pulgupta at redhat.com
Wed Jan 25 03:29:18 EST 2017


Thanks Marek,

I worked more around this and now the sessions are getting replicated
across the cluster for our applications.

However still I can see that when we logout we are able to login back
without entering the credentials.
This happens most of the times but a few times we are logged out correctly.

I am not sure why the logout is not ending the user session and why we are
able to visit the protected resource without re authenticating.
Can you please suggest something where can I look.

Regards,
Pulkit



On Mon, Jan 23, 2017 at 2:04 PM, Marek Posolda <mposolda at redhat.com> wrote:

> I don't see anything in our documentation for Keycloak SAML adapter. Not
> sure if we support clustering or not. Maybe someone else knows.
>
> But I think that if you have <distributable /> in your applications and it
> still doesn't work, then feel free to create JIRA.
>
> Marek
>
> On 20/01/17 17:29, Pulkit Gupta wrote:
>
> We can't really move to OIDC as we have already used SAML for a number of
> apps.
> Is clustering not supported by SAML client adapters for Jboss?
>
> Regards,
> Pulkit
>
>
> On Fri, Jan 20, 2017 at 1:47 PM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> This is supposed to work for Keycloak OIDC clients and some docs is here
>> https://keycloak.gitbooks.io/securing-client-applications-gu
>> ide/content/topics/oidc/java/application-clustering.html .
>>
>> I don't know about Keycloak SAML clients. Is it an alternative for you to
>> try OIDC instead of SAML?
>>
>> Marek
>>
>> On 20/01/17 08:19, Pulkit Gupta wrote:
>>
>>> Hi All,
>>>
>>> I am running multiple applications deployed on a Jboss cluster with
>>> infinispan used as a cache and for distributed sessions.
>>> I verified and can see that session replication is working for a normal
>>> application where I can see the same session on all the servers in the
>>> cluster and hence the application is working fine without session
>>> stickiness.
>>>
>>> However when I am trying to use any Keycloak SAML client based
>>> application
>>> it is only working if the request is going to a particular box in the
>>> cluster. On all the other boxes we are getting errors.
>>> >From this behavior I am concluding that somehow for Keycloak based
>>> applications sessions are not getting replicated.
>>> Both these applications has <distributable /> tag in them so I am not
>>> sure
>>> why it is showing different behaviour.
>>>
>>> I know we can fix this by just enabling session stickiness but we want
>>> the
>>> sessions to be replicated as well.
>>> This is because we want to make our set up more resilient. Also in case
>>> of
>>> logout when Keycloak is sending a back channel logout request it amy send
>>> it to any server in the cluster.
>>> If the sessions are not properly replicated then the logout will fail as
>>> the session will remain preserved on some other server in the cluster.
>>>
>>> Can someone please suggest me something what to try.
>>>
>>>
>>
>
>
> --
> Thanks,
> Pulkit
> AMS
>
>
>


-- 
Thanks,
Pulkit
AMS


More information about the keycloak-user mailing list