4:06 a.m.
Hi Team,
We are seeing slight difference in SAML logout request (specifically
*<samlp:SessionIndex>
*tag) formed by Keycloak 3.4.3 compared with Keycloak 3.1.0. Below is the
sample logout response for the same.
If you notice the highlighted section, you can see *SessionIndex *value in
Keycloak 3.1.0 is one dynamic value but *SessionIndex *in Keycloak 3.4.3 is
separated by " *::* ", I am willing to know the significance of this
separation.
It seems that some of the SAML Service Provider is not able to recognize
this change in SessionIndex tag (formed by Keycloak 3.4.3) and throwing *Error
during Base64 decoding of LogoutRequest * error*.* Please suggest your
thoughts on this.
Kindly let me know for any further clarification on this.
*#SAML Logout Request for Keycloak 3.1.0 :-*
<samlp:LogoutRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Destination="
https://xxxxxxxx/sap/hana/xs/saml/logout.xscfunc"
ID="ID_d3b2da60-3206-4d3f-9596-9d67427ffa5a"
IssueInstant="2019-03-15T07:51:25.547Z" Version="2.0">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://xxxxxxx/auth/realms/XXXXX
</saml:Issuer>
<samlp:Extensions>
<kckey:KeyInfo
xmlns:kckey="urn:keycloak:ext:key:1.0"
MessageSigningKeyId="LxW4jzZXu92jXUeZF9-CSmp0vUMajPpPsVU0RabB4Mk"/>
</samlp:Extensions>
<saml:NameID
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">xxxx@xxx.com
</saml:NameID>
*<samlp:SessionIndex>4d0ad6ad-370a-4a3a-b6ef-eaaaed06dad3</samlp:SessionIndex>*
</samlp:LogoutRequest>
*#SAML Logout Request for Keycloak 3.4.3 :-*
<samlp:LogoutRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Destination="
https://xxxxxx/sap/hana/xs/saml/logout.xscfunc"
ID="ID_9d769896-1798-4e66-acef-263b0270bb19"
IssueInstant="2019-03-15T07:59:32.178Z" Version="2.0">
<saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://xxxxx/auth/realms/XXXXX
</saml:Issuer>
<samlp:Extensions>
<kckey:KeyInfo
xmlns:kckey="urn:keycloak:ext:key:1.0"
MessageSigningKeyId="HyaGrSnYhspOs2ZZj1vUX5EufQIa4-uh3mBL8FCl7oc"/>
</samlp:Extensions>
<saml:NameID
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
xxxx(a)xxx.com
</saml:NameID>
*
<samlp:SessionIndex>28d53802-0174-49e7-b6d7-ed16fdf6e909::c665a382-6583-470f-92d5-e91861edc86a</samlp:SessionIndex>*
</samlp:LogoutRequest>
--
*With Regards, Jyoti Kumar Singh*
8:14 a.m.
On 3/15/19 5:06 AM, Jyoti Kumar Singh wrote:
Hi Team,
We are seeing slight difference in SAML logout request (specifically
*<samlp:SessionIndex>
*tag) formed by Keycloak 3.4.3 compared with Keycloak 3.1.0. Below is the
sample logout response for the same.
If you notice the highlighted section, you can see *SessionIndex *value in
Keycloak 3.1.0 is one dynamic value but *SessionIndex *in Keycloak 3.4.3 is
separated by " *::* ", I am willing to know the significance of this
separation.
It seems that some of the SAML Service Provider is not able to recognize
this change in SessionIndex tag (formed by Keycloak 3.4.3) and throwing *Error
during Base64 decoding of LogoutRequest * error*.* Please suggest your
thoughts on this.
Kindly let me know for any further clarification on this.
The SAML Core specification defines the type of a SessionIndex as a
string. There are no restrictions on the content of the string. There
are some recommendations regarding the string content with respect to
privacy. Hence session participants should treat the SessionIndex as an
opaque identifier.
If an SP is generating an error because of the presence of some
combination of characters in the opaque identifier it would be SP
implementation issue.
I have no idea why base64 decoding would be relevant in this context.
--
John Dennis
8:41 a.m.
Hi John,
Thank you very much for your reply.
Yes it looks little irrelevant with respect to base64 decoding but when I
compared SAML logout response produced by Keycloak 3.1.0 and Keycloak
3.4.3, I see only difference with SessionIndex value.
Interestingly, SAML logout works fine at SP with Keycloak 3.1.0 but getting
base64 decode error only with Keycloak 3.4.3, hence I mailed regarding this.
I am also checking with SP support team to know why this error occurred. In
case, I need some other information from your side, I will mail you back.
Thanks again for your help.
On Fri, 15 Mar 2019, 18:44 John Dennis, <jdennis(a)redhat.com> wrote:
On 3/15/19 5:06 AM, Jyoti Kumar Singh wrote:
> Hi Team,
>
> We are seeing slight difference in SAML logout request (specifically
> *<samlp:SessionIndex>
> *tag) formed by Keycloak 3.4.3 compared with Keycloak 3.1.0. Below is the
> sample logout response for the same.
>
> If you notice the highlighted section, you can see *SessionIndex *value
in
> Keycloak 3.1.0 is one dynamic value but *SessionIndex *in Keycloak 3.4.3
is
> separated by " *::* ", I am willing to know the significance of this
> separation.
>
> It seems that some of the SAML Service Provider is not able to recognize
> this change in SessionIndex tag (formed by Keycloak 3.4.3) and throwing
*Error
> during Base64 decoding of LogoutRequest * error*.* Please suggest your
> thoughts on this.
>
> Kindly let me know for any further clarification on this.
The SAML Core specification defines the type of a SessionIndex as a
string. There are no restrictions on the content of the string. There
are some recommendations regarding the string content with respect to
privacy. Hence session participants should treat the SessionIndex as an
opaque identifier.
If an SP is generating an error because of the presence of some
combination of characters in the opaque identifier it would be SP
implementation issue.
I have no idea why base64 decoding would be relevant in this context.
--
John Dennis
2127
days inactive
2127
days old
2 comments
2 participants
participants (2)
-
John Dennis -
Jyoti Kumar Singh