[keycloak-user] Changes in Keycloak 3.4.3 SAML Logout Requests Spec

Hi Team, We are seeing slight difference in SAML logout request (specifically *<samlp:SessionIndex> *tag) formed by Keycloak 3.4.3 compared with Keycloak 3.1.0. Below is the sample logout response for the same. If you notice the highlighted section, you can see *SessionIndex *value in Keycloak 3.1.0 is one dynamic value but *SessionIndex *in Keycloak 3.4.3 is separated by " *::* ", I am willing to know the significance of this separation. It seems that some of the SAML Service Provider is not able to recognize this change in SessionIndex tag (formed by Keycloak 3.4.3) and throwing *Error during Base64 decoding of LogoutRequest * error*.* Please suggest your thoughts on this. Kindly let me know for any further clarification on this. *#SAML Logout Request for Keycloak 3.1.0 :-* <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Destination=" https://xxxxxxxx/sap/hana/xs/saml/logout.xscfunc" ID="ID_d3b2da60-3206-4d3f-9596-9d67427ffa5a" IssueInstant="2019-03-15T07:51:25.547Z" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> https://xxxxxxx/auth/realms/XXXXX </saml:Issuer> <samlp:Extensions> <kckey:KeyInfo xmlns:kckey="urn:keycloak:ext:key:1.0" MessageSigningKeyId="LxW4jzZXu92jXUeZF9-CSmp0vUMajPpPsVU0RabB4Mk"/> </samlp:Extensions> <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">xxxx@xxx.com </saml:NameID> *<samlp:SessionIndex>4d0ad6ad-370a-4a3a-b6ef-eaaaed06dad3</samlp:SessionIndex>* </samlp:LogoutRequest> *#SAML Logout Request for Keycloak 3.4.3 :-* <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Destination=" https://xxxxxx/sap/hana/xs/saml/logout.xscfunc" ID="ID_9d769896-1798-4e66-acef-263b0270bb19" IssueInstant="2019-03-15T07:59:32.178Z" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> https://xxxxx/auth/realms/XXXXX </saml:Issuer> <samlp:Extensions> <kckey:KeyInfo xmlns:kckey="urn:keycloak:ext:key:1.0" MessageSigningKeyId="HyaGrSnYhspOs2ZZj1vUX5EufQIa4-uh3mBL8FCl7oc"/> </samlp:Extensions> <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> xxxx(a)xxx.com </saml:NameID> * <samlp:SessionIndex>28d53802-0174-49e7-b6d7-ed16fdf6e909::c665a382-6583-470f-92d5-e91861edc86a</samlp:SessionIndex>* </samlp:LogoutRequest> -- *With Regards, Jyoti Kumar Singh*