[keycloak-user] SAML Logout fails with: "Invalid query param signature"

Luis Rodríguez Fernández uo67113 at gmail.com
Mon Sep 3 12:38:56 EDT 2018

Hello there,

Using keycloak-saml-tomcat8-adapter-dist-4.2.1.Final, I always get
"org.keycloak.common.VerificationException: Invalid query param signature"
when the IdP sends the LogoutResponse.

I've compared the implementation of
AbstractSamlAuthenticationHandler.verifyRedirectBindingSignature [1] with a
custom one that I developed myself and the only differences are:
- The way on how the parameters are decoded. Me I use java.util.Base64
while keycloak use its own (org.keycloak.saml.common.util.Base64)

I am using the REDIRECT for the SingleLogoutService.responseBinding

Any thoughts on this?

Thanks in advance,




"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

More information about the keycloak-user mailing list