[keycloak-user] Simple user SSO between keycloak instances
Long Man
longman at barramandi.com
Tue Jun 12 04:14:12 EDT 2018
Thanks Ariel.
I found out the following, request host.domain.com:port must be identical
with the initial authentication.
Session cookie itself is not sufficient.
So yes, via a load balancer, it will work.
Unlike many other SSO product that uses cookie domain .domain.com to share
session cookies within the infrastructure, Keycloak does not alllow that
and take it one level higher, not even allowing difference of port number.
Maybe future version can have option to relax this enforcement as it will
be beneficial should multi-site deployments want to have different
hostnames within the same domain with each site having own load balancers.
ie. ap.sso.domain.com, na.sso.domain.com, eu.sso.domain.com
Thanks.
Regards,
BL
On Tue, Jun 12, 2018 at 5:44 AM, Ariel Carrera <carreraariel at gmail.com>
wrote:
> Have you got a load balancer in front of keycloaks ? Have you tested it
> hitting to the balancer? maybe the issuer is changing from one token to
> other.
>
> El El lun, 11 jun. 2018 a las 07:04, Long Man <longman at barramandi.com>
> escribió:
>
>> I have a pair of keycloak setup as cross datacenter HA
>> as per https://www.keycloak.org/docs/4.0/server_installation/#setup
>>
>> All configuration data is replicated, and changes to session/config are
>> seen immediately in both instances console.
>>
>> However, a user login to /auth/realms/master/account/ cannot re-use the
>> same session between the instances.
>> 1) login to http://host.domain.com:8080/auth/realms/master/account
>> (instance 1)
>> 2) go to http://host.domain.com:9080/auth/realms/master/account
>> (instance 2)
>> prompted to login again although all the cookies are sent to instance2
>> (AUTH_SESSION_ID, KEYCLOAK_SESSION, KEYCLOAK_IDENTITY)
>>
>> Any help appreciated
>>
>> Thanks a bunch!
>>
>> Regards,
>> BL
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> --
> Ariel Carrera
>
More information about the keycloak-user
mailing list