[keycloak-user] Logout in cluster environments

Hynek Mlnarik hmlnarik at redhat.com
Wed Jan 25 05:46:15 EST 2017


There's quite a lot of useful information in this thread. Could you
please file a JIRA issue with a reference to this thread?

Thank you

--Hynek

On Wed, Jan 25, 2017 at 11:08 AM, Pulkit Gupta <pulgupta at redhat.com> wrote:
> Hi Marek,
>
> In continuation to the previous mail I can see that the SAML assertion is
> getting deleted but the individual sessions within different applications
> are getting maintained.
> And thus the user is able to login back to the applications which he was
> using.
> But if he is opening a new application for the first time and as there is
> no existing session and SAML assertion is already deleted he is correctly
> asked to enter his credentials.
> I think this will be helpful for you to pin point the issue.
>
> Regards,
> Pulkit
>
> On Wed, Jan 25, 2017 at 1:59 PM, Pulkit Gupta <pulgupta at redhat.com> wrote:
>
>> Thanks Marek,
>>
>> I worked more around this and now the sessions are getting replicated
>> across the cluster for our applications.
>>
>> However still I can see that when we logout we are able to login back
>> without entering the credentials.
>> This happens most of the times but a few times we are logged out correctly.
>>
>> I am not sure why the logout is not ending the user session and why we are
>> able to visit the protected resource without re authenticating.
>> Can you please suggest something where can I look.
>>
>> Regards,
>> Pulkit
>>
>>
>>
>> On Mon, Jan 23, 2017 at 2:04 PM, Marek Posolda <mposolda at redhat.com>
>> wrote:
>>
>>> I don't see anything in our documentation for Keycloak SAML adapter. Not
>>> sure if we support clustering or not. Maybe someone else knows.
>>>
>>> But I think that if you have <distributable /> in your applications and
>>> it still doesn't work, then feel free to create JIRA.
>>>
>>> Marek
>>>
>>> On 20/01/17 17:29, Pulkit Gupta wrote:
>>>
>>> We can't really move to OIDC as we have already used SAML for a number of
>>> apps.
>>> Is clustering not supported by SAML client adapters for Jboss?
>>>
>>> Regards,
>>> Pulkit
>>>
>>>
>>> On Fri, Jan 20, 2017 at 1:47 PM, Marek Posolda <mposolda at redhat.com>
>>> wrote:
>>>
>>>> This is supposed to work for Keycloak OIDC clients and some docs is here
>>>> https://keycloak.gitbooks.io/securing-client-applications-gu
>>>> ide/content/topics/oidc/java/application-clustering.html .
>>>>
>>>> I don't know about Keycloak SAML clients. Is it an alternative for you
>>>> to try OIDC instead of SAML?
>>>>
>>>> Marek
>>>>
>>>> On 20/01/17 08:19, Pulkit Gupta wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> I am running multiple applications deployed on a Jboss cluster with
>>>>> infinispan used as a cache and for distributed sessions.
>>>>> I verified and can see that session replication is working for a normal
>>>>> application where I can see the same session on all the servers in the
>>>>> cluster and hence the application is working fine without session
>>>>> stickiness.
>>>>>
>>>>> However when I am trying to use any Keycloak SAML client based
>>>>> application
>>>>> it is only working if the request is going to a particular box in the
>>>>> cluster. On all the other boxes we are getting errors.
>>>>> >From this behavior I am concluding that somehow for Keycloak based
>>>>> applications sessions are not getting replicated.
>>>>> Both these applications has <distributable /> tag in them so I am not
>>>>> sure
>>>>> why it is showing different behaviour.
>>>>>
>>>>> I know we can fix this by just enabling session stickiness but we want
>>>>> the
>>>>> sessions to be replicated as well.
>>>>> This is because we want to make our set up more resilient. Also in case
>>>>> of
>>>>> logout when Keycloak is sending a back channel logout request it amy
>>>>> send
>>>>> it to any server in the cluster.
>>>>> If the sessions are not properly replicated then the logout will fail as
>>>>> the session will remain preserved on some other server in the cluster.
>>>>>
>>>>> Can someone please suggest me something what to try.
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Thanks,
>>> Pulkit
>>> AMS
>>>
>>>
>>>
>>
>>
>> --
>> Thanks,
>> Pulkit
>> AMS
>>
>
>
>
> --
> Thanks,
> Pulkit
> AMS
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek


More information about the keycloak-user mailing list