Hi, On Wed, Feb 06, 2019 at 02:13:46PM +0100, Luis Rodríguez Fernández wrote: > May I ask you what is the client implementation? For my dev environment, > using the tomcat saml adapter in the SP side and Keycloak > 4.8.2.Final-SNAPSHOT in the IdP one is working: It is strange: going in remote debug with eclipse (running in local in my MacOS), I have been able to obtain a succesful redirect, and I did not see any trivial points on how the assertion signature could be damaged. I'll investigate for encoding issues on the Linux machine. In the code, the only point in which the assertion is marshalled to DOM is through a call to parse() on the inputstream. The DOM builder factory is assigned to the threadlocal: why? Can it be a threading issue, knowing the no thread safety of the dom implementation?