Keyclaok adding escape character 
 in signature value in SAML response

I am trying to set up Keycloak as IdP and use it for SSO. The first re-direct (from the application login url to keycloak) works fine, but then, after entering the user credentials I get an “invalid signature” error from the application.

I have checked the SAML response (from keycloak to the application) and I can see that keycloak adds a weird escape character in the certificate and signature value.

Here is part of the SAML response:

<dsig:Signature xmlns:dsig="">
      <dsig:CanonicalizationMethod Algorithm="" />
      <dsig:SignatureMethod Algorithm="" />
      <dsig:Reference URI="#ID_fde25c3e-6958-4b49-bbe0-e4aeb200de98">
          <dsig:Transform Algorithm="" />
          <dsig:Transform Algorithm="" /></dsig:Transforms>
        <dsig:DigestMethod Algorithm="" />
iGNKaLxr3c9CUPpRxC3xeS0grx2FdcXWcWArlqZHdWIjQF0n9Whh5ue00HEmb+Nr5VO9jBUwRwXl&#13; VNEARy/4DeAsuXIxej0OYASBMjx+5qfmUIelXKLChTYjrdHyq2ZtD7BWfCrnNLtB7XiZsy8cYm0v&#13; ynWLlJTyxUpg+FakcxGNDnSUG6Ofslv6byQDsNY56yvqKCWbcqa1/70PD401E/Gf2XcD4paPAvHX&#13; B+wS25QFytqrxumRtlJiKcPS+IB8umpcHG4mKk3Qg9FxCRQk2Pk693VnEtYyQ5VXUTNFW8SfWpnQ&#13;

Why is keycloak adding all these escape characters ( )?
Is there a way to force it not to send it? I spoke with another developer who has more experience than me with SAML and she told me she has never seen a signature value with escape characters.
have I misconfigured something? Keycloak is running in a docker container and I am using nginx as reverse proxy.

EDIT: I am running keycloak in a docker container using NGINX as reverse proxy. The question is: is keycloak or nginx that are adding these ASCII code 13 characters? And of course, how do I fix it?

Blame your Nginx. I guess you are using HTTP Redirect SAML binding, so Nginx is encoding request parameter.

I would switch to HTTP POST binding (you never know which infrastructure is between user and keycloak, which may be doing URL encoding, which can use this problem).
If it is not possible, then configure proxy pass in the nginx config without URI.

Hi @jangaraj ,
Thank you so much for your reply!!
Sorry for the stupid question but where do I know if I am using HTTP Redirect or POST?
In the application SAML configuration file I have a field called “Single Sign-On Bind” and I have set it to “HTTP-POST”.

In the keycloak client page, I have switched on the “Force POST Binding” option, then under “Fine Grain SAML Endpoint Configuration”, I have only filled the “Assertion Consumer Service POST Binding URL” and I have left blank “Assertion Consumer Service Redirect Binding URL”.
I am still getting the same error and the ASCII characters are still there. What am I doing wrong?

I will try now to configure proxy pass as you suggested.

In keycloak I have the URLs, one for the internal/admin site and one for the public one.

I have two proxy pass rules already set up

location / {

location / {

Shouldn’t this be enough?

I have installed SAML message decoder as a Chrome extension.
I have tested both methods “redirecting” and “post” and the ASCII character is in both. Are we sure that is NGINX to blame?

The XML data of the SAML auth requests and the assertion responses are consistently encoded in Base64 or Base64URL, regardless of whether POST or REDIRECT is used. This is so that they can be transported without any problems and a proxy cannot break anything. That’s why I wouldn’t mess around with nginx any further. I suspect that the XML/Crypto libraries used are messing up here.
You are not the only one with this problem:

Thank you @mbonn

So this is a bug. Any suggestions on how to report it?

You already did a bug report, didn’t you?

1 Like

You are right! My bad.

Try to test your setup without Nginx (and any infra between browser and Keycloak, which may modify request) - then you can say that’s not a problem of the Nginx. Your Nginx config looks OK, so in this case it is very low chance that Nginx is causing a problem.

I agree. But it can be more complicated. I have had real use case, where misconfigured proxy, WAF was changing SAML request/response and then whole SAML login was failing.

Well, I hope the Keycloak team is investigating this. Broken SAML signatures are an absolute show stopper for my use-cases…

1 Like

I hope so too, but this is not very encouraging… [KEYCLOAK-8594] HTTP-Redirect violates SAML spec, base64 in URL contains whitespace - Red Hat Issue Tracker