Keycloak v22: invalid_signature with Elster's NEZO Interface (

Hello Keycloak community,

I’m a software developer for a municipal data center and I’ve run into an issue when trying to connect Keycloak v 22.0.4 with Elster’s NEZO interface ( Upon being redirected back to Keycloak from the Identity Provider, I receive an “Invalid Requester” error. Diving deeper into the server logs, I found:

ERROR [] (executor-thread-133) validation failed
WARN [] (executor-thread-133) type=IDENTITY_PROVIDER_RESPONSE_ERROR, realmId=[MY-REALM_ID], clientId=null, userId=null, ipAddress=, error=invalid_signature

I tried troubleshooting by checking the configuration in Keycloak itself. I even turned off the “Validate Signature” option in the Identity Provider configuration, thinking this might bypass the validation. However, I’m still facing the same error. It’s worth noting that I encountered this same problem in Keycloak 21.1.2 as well.

If anyone has successfully integrated their service via NEZO (Elster/ with Keycloak, your insights would be invaluable. I can provide more detailed settings information if needed.

Thank you in advance!

1 Like

Hello Keycloak community,

I wanted to provide an update on the issue I was facing with the integration of Keycloak and Elster’s NEZO interface ( Thanks to a helpful tip from the “IT-Systemhaus der Bundesagentur für Arbeit - Nürnberg,” I was able to resolve the problem without extensive troubleshooting.

Initially, I was focused on the “Validate Signature” setting, but it turns out the key difference was in the “Want Assertions signed” setting. I had to set it to “false” to make the integration work correctly.

For those who might encounter a similar issue, here’s an example configuration that worked for me:

  - addReadTokenRoleOnCreate: false
      alias: uk
      authenticateByDefault: false
        addExtensionsElementWithKeyInfo: false
        allowCreate: true
        allowedClockSkew: 0
        attributeConsumingServiceIndex: 0
        backchannelSupported: false
        enabledFromMetadata: true
        encryptionAlgorithm: RSA-OAEP
        encryptionPublicKey: MIIF...l01E=
        entityId: https://interne-keycloak-umgebung
        forceAuthn: false
        loginHint: false
        nameIDPolicyFormat: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
        postBindingAuthnRequest: true
        postBindingLogout: true
        postBindingResponse: true
        principalType: Subject NameID
        signSpMetadata: false
        signatureAlgorithm: RSA_SHA256_MGF1
        signingCertificate: MIIF...5XQs=
        validateSignature: true
        wantAssertionsEncrypted: false
        wantAssertionsSigned: false
        wantAuthnRequestsSigned: true
        xmlSigKeyInfoKeyNameTransformer: KEY_ID
      enabled: true
      firstBrokerLoginFlowId: firstBrokerLogin
      linkOnly: false
      providerId: saml
      storeToken: false
      trustEmail: false

I based my solution on this configuration, and it worked for me. I hope it works for others who may face a similar challenge in the future.