[keycloak-user] Changes in Keycloak 3.4.3 SAML Logout Requests Spec
Jyoti Kumar Singh
jyoti.tech90 at gmail.com
Fri Mar 15 09:41:47 EDT 2019
Hi John,
Thank you very much for your reply.
Yes it looks little irrelevant with respect to base64 decoding but when I
compared SAML logout response produced by Keycloak 3.1.0 and Keycloak
3.4.3, I see only difference with SessionIndex value.
Interestingly, SAML logout works fine at SP with Keycloak 3.1.0 but getting
base64 decode error only with Keycloak 3.4.3, hence I mailed regarding this.
I am also checking with SP support team to know why this error occurred. In
case, I need some other information from your side, I will mail you back.
Thanks again for your help.
On Fri, 15 Mar 2019, 18:44 John Dennis, <jdennis at redhat.com> wrote:
> On 3/15/19 5:06 AM, Jyoti Kumar Singh wrote:
> > Hi Team,
> >
> > We are seeing slight difference in SAML logout request (specifically
> > *<samlp:SessionIndex>
> > *tag) formed by Keycloak 3.4.3 compared with Keycloak 3.1.0. Below is the
> > sample logout response for the same.
> >
> > If you notice the highlighted section, you can see *SessionIndex *value
> in
> > Keycloak 3.1.0 is one dynamic value but *SessionIndex *in Keycloak 3.4.3
> is
> > separated by " *::* ", I am willing to know the significance of this
> > separation.
> >
> > It seems that some of the SAML Service Provider is not able to recognize
> > this change in SessionIndex tag (formed by Keycloak 3.4.3) and throwing
> *Error
> > during Base64 decoding of LogoutRequest * error*.* Please suggest your
> > thoughts on this.
> >
> > Kindly let me know for any further clarification on this.
>
> The SAML Core specification defines the type of a SessionIndex as a
> string. There are no restrictions on the content of the string. There
> are some recommendations regarding the string content with respect to
> privacy. Hence session participants should treat the SessionIndex as an
> opaque identifier.
>
> If an SP is generating an error because of the presence of some
> combination of characters in the opaque identifier it would be SP
> implementation issue.
>
> I have no idea why base64 decoding would be relevant in this context.
>
>
> --
> John Dennis
>
More information about the keycloak-user
mailing list