[keycloak-user] Issue with not enabling sticky session

Marek Posolda mposolda at redhat.com
Mon Nov 6 04:17:51 EST 2017


I think that you may either need to:
1) Enable sticky sessions for your loadbalancer
2) use the distributed-cache instead of local-cache
3) Make some changes in remote-store so that it works for your use-case. 
But this is not tested configuration by us. I suggest to rather do (1) 
or (2) if possible.

BTV. If you want to doublecheck, you can try with 1 node only. If the 
issue is not here with 1 node, but it is with 2 or more nodes, then you 
surely need to do something mentioned above.

Marek

On 01/11/17 15:45, Narendra Kadali wrote:
> Hello All,
>
>
> We configured an external SAML based identity provider in a realm and. When user coming back to Keycloak after successful authentication at external IdP Keycloak giving either "Page expired" or "Not found serialized context in authenticationSession " error.
>
>
> The process of reproducing the issue is as follows:
>
>    1.  Access the corresponding realm login page and then click on the identity provider link to login using external IdP.
>    2.  This will take us to the external identity provider. After successful authentication at external IdP, the user will be redirected back to Keycloak instance with a valid SAMLResponse.
>    3.  Then there might be a chance that instead of either showing first-broker-login flow or profile page you might be presented with 'page expired' error or 'Not found serialized context in authenticationSession' error.
>
> Some information about my environment:
> 1. Three Keycloak instances running in a standalone mode. All of them connected to common DB and external Infinispan cluster. We are running Keycloak 3.2.1.Final
>
> 2. Three Infinispan instances are deployed as a single cluster. Our Keycloakc instances connected to this external Infinispan cluster.
> 3. We don't have any session stickiness enabled at the load balancer
>
>    1.  Below is the configuration we are using for autehtnicationSessions cache in standalone.xml file.
>
> <local-cache name="authenticationSessions">
>
>          <remote-store cache="authenticationSessions" remote-servers="remote-cache" fetch-state="false" passivation="false" preload="false" purge="false" shared="true">
>
>                  <property name="rawValues">
>
>                              true
>
>                  </property>
>
>                  <property name="marshaller">
>
>                              org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory
>
>                  </property>
>
>          </remote-store>
>
> </local-cache>
>
>
>
> Some findings on this issue:
>
>    1.  Since session stickiness is not there the first time when login page rendered it can go to Keycloak node 1 and when user come back to Keycloak with valid SMAL Response request can be forwarded to Keycloak node2. So requests can be spread across all Keycloak nodes.
>    2.  The error log observed for 'Not found serialized context in authenticationSession' message is: ERROR [org.keycloak.services] (default task-17) KC-SERVICES0068: Not found serialized context in clientSession under note 'BROKERED_CONTEXT'
>    3.  If we run only one single Keycloak node, we are not seeing this error.
>
> Any of you seen a similar issue?
>
>
> Thanks!
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




More information about the keycloak-user mailing list