[keycloak-user] SAML Logout fails with: "Invalid query param signature"

Luis Rodríguez Fernández uo67113 at gmail.com
Mon Sep 3 12:38:56 EDT 2018


Hello there,

Using keycloak-saml-tomcat8-adapter-dist-4.2.1.Final, I always get
"org.keycloak.common.VerificationException: Invalid query param signature"
when the IdP sends the LogoutResponse.

I've compared the implementation of
AbstractSamlAuthenticationHandler.verifyRedirectBindingSignature [1] with a
custom one that I developed myself and the only differences are:
- The way on how the parameters are decoded. Me I use java.util.Base64
while keycloak use its own (org.keycloak.saml.common.util.Base64)

I am using the REDIRECT for the SingleLogoutService.responseBinding

Any thoughts on this?

Thanks in advance,

Luis



[1]
https://github.com/keycloak/keycloak/blob/79774d2f0730593d504072aaabb1b87d77e3968c/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java#L602

-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett


More information about the keycloak-user mailing list