Hey Ed, Ouch, bad NetIQ :-( apparently it considers the signature on the request as something unexpected, which it really shouldn't... However, you should be able to configure the signing certificate of Keycloak on the NetIQ side (which you needed to do anyway for the validation of the Logout requests) and make it "require" or "expect" signed authentication requests from the Keycloak SP. Hans.