[keycloak-user] Simple user SSO between keycloak instances

Ariel Carrera carreraariel at gmail.com
Tue Jun 12 06:47:49 EDT 2018


Please read chapter clustering, I think you need to set some headers
between balancer and kc nodes (x-foward-for, proto... etc)

El El mar, 12 jun. 2018 a las 05:14, Long Man <longman at barramandi.com>
escribió:

> Thanks Ariel.
> I found out the following, request host.domain.com:port must be identical
> with the initial authentication.
> Session cookie itself is not sufficient.
> So yes, via a load balancer, it will work.
>
> Unlike many other SSO product that uses cookie domain .domain.com to
> share session cookies within the infrastructure, Keycloak does not alllow
> that and take it one level higher, not even allowing difference of port
> number.
>
> Maybe future version can have option to relax this enforcement as it will
> be beneficial should multi-site deployments want to have different
> hostnames within the same domain with each site having own load balancers.
> ie. ap.sso.domain.com, na.sso.domain.com, eu.sso.domain.com
>
> Thanks.
> Regards,
> BL
>
> On Tue, Jun 12, 2018 at 5:44 AM, Ariel Carrera <carreraariel at gmail.com>
> wrote:
>
>> Have you got a load balancer in front of keycloaks ? Have you tested it
>> hitting to the balancer? maybe the issuer is changing from one token to
>> other.
>>
>> El El lun, 11 jun. 2018 a las 07:04, Long Man <longman at barramandi.com>
>> escribió:
>>
>>> I have a pair of keycloak setup as cross datacenter HA
>>> as per https://www.keycloak.org/docs/4.0/server_installation/#setup
>>>
>>> All configuration data is replicated, and changes to session/config are
>>> seen immediately in both instances console.
>>>
>>> However, a user login to /auth/realms/master/account/ cannot re-use the
>>> same session between the instances.
>>> 1) login to http://host.domain.com:8080/auth/realms/master/account
>>> (instance 1)
>>> 2) go to http://host.domain.com:9080/auth/realms/master/account
>>> (instance 2)
>>> prompted to login again although all the cookies are sent to instance2
>>> (AUTH_SESSION_ID, KEYCLOAK_SESSION, KEYCLOAK_IDENTITY)
>>>
>>> Any help appreciated
>>>
>>> Thanks a bunch!
>>>
>>> Regards,
>>> BL
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>> --
>> Ariel Carrera
>>
>
> --
Ariel Carrera


More information about the keycloak-user mailing list