[keycloak-user] Issue with not enabling sticky session

Narendra Kadali narendra_kadali at hotmail.com
Wed Nov 1 10:45:20 EDT 2017


Hello All,


We configured an external SAML based identity provider in a realm and. When user coming back to Keycloak after successful authentication at external IdP Keycloak giving either "Page expired" or "Not found serialized context in authenticationSession " error.


The process of reproducing the issue is as follows:

  1.  Access the corresponding realm login page and then click on the identity provider link to login using external IdP.
  2.  This will take us to the external identity provider. After successful authentication at external IdP, the user will be redirected back to Keycloak instance with a valid SAMLResponse.
  3.  Then there might be a chance that instead of either showing first-broker-login flow or profile page you might be presented with 'page expired' error or 'Not found serialized context in authenticationSession' error.

Some information about my environment:
1. Three Keycloak instances running in a standalone mode. All of them connected to common DB and external Infinispan cluster. We are running Keycloak 3.2.1.Final

2. Three Infinispan instances are deployed as a single cluster. Our Keycloakc instances connected to this external Infinispan cluster.
3. We don't have any session stickiness enabled at the load balancer

  1.  Below is the configuration we are using for autehtnicationSessions cache in standalone.xml file.

<local-cache name="authenticationSessions">

        <remote-store cache="authenticationSessions" remote-servers="remote-cache" fetch-state="false" passivation="false" preload="false" purge="false" shared="true">

                <property name="rawValues">

                            true

                </property>

                <property name="marshaller">

                            org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory

                </property>

        </remote-store>

</local-cache>



Some findings on this issue:

  1.  Since session stickiness is not there the first time when login page rendered it can go to Keycloak node 1 and when user come back to Keycloak with valid SMAL Response request can be forwarded to Keycloak node2. So requests can be spread across all Keycloak nodes.
  2.  The error log observed for 'Not found serialized context in authenticationSession' message is: ERROR [org.keycloak.services] (default task-17) KC-SERVICES0068: Not found serialized context in clientSession under note 'BROKERED_CONTEXT'
  3.  If we run only one single Keycloak node, we are not seeing this error.

Any of you seen a similar issue?


Thanks!



More information about the keycloak-user mailing list