[keycloak-user] Changes in Keycloak 3.4.3 SAML Logout Requests Spec
John Dennis
jdennis at redhat.com
Fri Mar 15 09:14:51 EDT 2019
On 3/15/19 5:06 AM, Jyoti Kumar Singh wrote:
> Hi Team,
>
> We are seeing slight difference in SAML logout request (specifically
> *<samlp:SessionIndex>
> *tag) formed by Keycloak 3.4.3 compared with Keycloak 3.1.0. Below is the
> sample logout response for the same.
>
> If you notice the highlighted section, you can see *SessionIndex *value in
> Keycloak 3.1.0 is one dynamic value but *SessionIndex *in Keycloak 3.4.3 is
> separated by " *::* ", I am willing to know the significance of this
> separation.
>
> It seems that some of the SAML Service Provider is not able to recognize
> this change in SessionIndex tag (formed by Keycloak 3.4.3) and throwing *Error
> during Base64 decoding of LogoutRequest * error*.* Please suggest your
> thoughts on this.
>
> Kindly let me know for any further clarification on this.
The SAML Core specification defines the type of a SessionIndex as a
string. There are no restrictions on the content of the string. There
are some recommendations regarding the string content with respect to
privacy. Hence session participants should treat the SessionIndex as an
opaque identifier.
If an SP is generating an error because of the presence of some
combination of characters in the opaque identifier it would be SP
implementation issue.
I have no idea why base64 decoding would be relevant in this context.
--
John Dennis
More information about the keycloak-user
mailing list