[keycloak-user] Problem with SAML SLO with Redirect Binding

pubudu gunawardena pubudupg at gmail.com
Fri Jun 5 02:51:19 EDT 2015

Hi All,

When trying out SAML SLO with keycloak using Redirect Binding, noticed
that the "SigAlg" GET parameter of the logout response was set to
something like "SHA256withRSA". Quoting from section " DEFLATE
Encoding" of the spec,

"The signature algorithm identifier MUST be included as an additional
query string parameter,named SigAlg. The value of this parameter MUST
be a URI that identifies the algorithm used to sign the URL-encoded
SAML protocol message, specified according to [XMLSig] or whatever
specification governs the algorithm"

and libraries such as simplesamlphp and php-saml expect it to be a uri
in the form of "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256".
The mismatch causes those libraries to give errors when used with
keycloak idp.


More information about the keycloak-user mailing list