I have Keycloak running in Kubernetes. I am using Kubernetes Ingress to proxy requests to Keycloak. So, anything going to https://www.example.com/keycloak gets the keycloak suffix removed (via URL rewriting) and sent to the Keycloak server. I have the environment variable KEYCLOAK_FRONTEND_URL for the Keycloak Docker container set to https://tierzero-qa.ymeadows.com/keycloak/auth, so that it rewrites the URLs correctly for being behind a proxy. This works fine and I can access the admin URL, etc.
I’ve inspected the SAML authentication request sent to https://www.example.com/keycloak/auth/realms/my-realm/broker/my-provider/endpoint which returns a 400. The SAML XML contains:
Yes, it was because I have Keycloak in Kubernetes behind an Ingress service. I’m using Nginx Ingress. I needed to configure use_forward_headers to true. I also had to ensure that the incoming connection came into Nginx Ingress via HTTPS and port 443.
This issue happens when Keycloak thinks that the URL it is being contacted on is different than the URL in the payload. You have to make sure that all the X-Forward-* headers are being sent correctly and that Keycloak is configured to use them. Otherwise it might think it’s at a different URL then it really is at.
Hi,
Can you give more technical info - the setting that you changed (Keycloak is configured to use them)?
I’m having this issue in 3 different settings…
EKS + istio 1.6
Openshift 4.6 + routes
Aks + istio 1.6
Hi,
I’m having similar issue, I’m using load balancer (ALB) and all necessary headers are passed to Keycloak.
But destination check fails due to this error:
For some reason “default-host:8080” comes in requestUri from Resteasy internal UriInfo implementation.
Frontend URI is set in realm properties but looks like not used in SAML response handling. What could cause such behavior? And what else should be configured?
Appreciate any ideas. Thanks!
