[keycloak-user] Changes in Keycloak 3.4.3 SAML Logout Requests Spec

Jyoti Kumar Singh jyoti.tech90 at gmail.com
Fri Mar 15 05:06:42 EDT 2019 

Hi Team,

We are seeing slight difference in SAML logout request (specifically
*<samlp:SessionIndex>
*tag) formed by Keycloak 3.4.3 compared with Keycloak 3.1.0. Below is the
sample logout response for the same.

If you notice the highlighted section, you can see *SessionIndex *value in
Keycloak 3.1.0 is one dynamic value but *SessionIndex *in Keycloak 3.4.3 is
separated by " *::* ", I am willing to know the significance of this
separation.

It seems that some of the SAML Service Provider is not able to recognize
this change in SessionIndex tag (formed by Keycloak 3.4.3) and throwing *Error
during Base64 decoding of LogoutRequest * error*.*  Please suggest your
thoughts on this.

Kindly let me know for any further clarification on this.

*#SAML Logout Request for Keycloak 3.1.0 :-*

<samlp:LogoutRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Destination="
https://xxxxxxxx/sap/hana/xs/saml/logout.xscfunc"
ID="ID_d3b2da60-3206-4d3f-9596-9d67427ffa5a"
IssueInstant="2019-03-15T07:51:25.547Z" Version="2.0">
    <saml:Issuer
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://xxxxxxx/auth/realms/XXXXX
    </saml:Issuer>
    <samlp:Extensions>
        <kckey:KeyInfo
            xmlns:kckey="urn:keycloak:ext:key:1.0"
MessageSigningKeyId="LxW4jzZXu92jXUeZF9-CSmp0vUMajPpPsVU0RabB4Mk"/>
    </samlp:Extensions>
    <saml:NameID
            xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">xxxx at xxx.com
    </saml:NameID>

*<samlp:SessionIndex>4d0ad6ad-370a-4a3a-b6ef-eaaaed06dad3</samlp:SessionIndex>*
</samlp:LogoutRequest>

*#SAML Logout Request for Keycloak 3.4.3 :-*

<samlp:LogoutRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Destination="
https://xxxxxx/sap/hana/xs/saml/logout.xscfunc"
ID="ID_9d769896-1798-4e66-acef-263b0270bb19"
IssueInstant="2019-03-15T07:59:32.178Z" Version="2.0">
    <saml:Issuer
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
https://xxxxx/auth/realms/XXXXX
    </saml:Issuer>
    <samlp:Extensions>
        <kckey:KeyInfo
            xmlns:kckey="urn:keycloak:ext:key:1.0"
MessageSigningKeyId="HyaGrSnYhspOs2ZZj1vUX5EufQIa4-uh3mBL8FCl7oc"/>
    </samlp:Extensions>
    <saml:NameID
            xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
xxxx at xxx.com
        </saml:NameID>
  *
<samlp:SessionIndex>28d53802-0174-49e7-b6d7-ed16fdf6e909::c665a382-6583-470f-92d5-e91861edc86a</samlp:SessionIndex>*
</samlp:LogoutRequest>



-- 

*With Regards, Jyoti Kumar Singh*

More information about the keycloak-user mailing list