Dear Keycloak dev team, Seems like Keycloak does not send the NameQualifer and SPNameQualifier in a SAML LogoutRequest. See this issue in Shibboleth: https://issues.shibboleth.net/jira/browse/IDP-1297 Are you able to confirm that? Is it something you could fix in a next release? Thanks in advance, Daniel