Before reporting an issue

[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

saml

Describe the bug

We were using Keycloak and upgrading Keycloak regularly until version 26.1.3 and Front logout channel was working great so far.
After upgrading to 26.2.5, something broke Front logout channel for us.

I log in Application A.
I then log in to Application B.
If I click logout on Application B, it will try to log out from Application A, and fail.

In one of our applications, the message the application gave was:

**PEM_read_bio_X509: no start line (Expecting: CERTIFICATE)**

On another application, the log line was

2025-06-20 13:24:28,268 DEBUG [web.AUTH_DEBUG dispatcherServlet.766] - [2001:730:130:8071::53] - request-URI: /vrtx/__vrtx/app-resources/saml/sp - Failed to inflate SAML response
java.util.zip.ZipException: invalid code lengths set
	at java.base/java.util.zip.InflaterInputStream.read(InflaterInputStream.java:182) ~[?:?]
	at vtk.util.io.IO$ReadBase.readInputStream(IO.java:339) ~[vtk-core-2025.SAMLDEBUG1-SNAPSHOT.jar!/:?]
	at vtk.util.io.IO$1.perform(IO.java:568) ~[vtk-core-2025.SAMLDEBUG1-SNAPSHOT.jar!/:?]
	at vtk.util.io.IO$1.perform(IO.java:565) ~[vtk-core-2025.SAMLDEBUG1-SNAPSHOT.jar!/:?]
	at vtk.auth.saml.SamlService.inflate(SamlService.java:1087) ~[vtk-core-2025.SAMLDEBUG1-SNAPSHOT.jar!/:?]
(...)

amd sometimes:

025-06-19 11:23:30,470 DEBUG [web.AUTH_DEBUG dispatcherServlet.468] - [2001:730:130:8071::53] - request-URI: /vrtx/__vrtx/app-resources/saml/sp - Failed to unmarshall SAML request
org.xml.sax.SAXParseException: Invalid byte 1 of 1-byte UTF-8 sequence.

and

2025-06-19 11:34:11,571 TRACE [web.AUTH_DEBUG dispatcherServlet.1863] - Unmarshall: failed to parse XML: �Rˊ�0����l��X$��P0L��f�*#�%UWn���c�L

-] �{^��r�xtW7���}���8X��H�`��hPX9�؋����"K���E׻�l��%"�h�%��[r��+�ˑ���Q���v�R� F���+z���C2�X����!���M�L�)z��NGҝ�x�r]Q�uM�>khShE�¤*�7��Ɉt���H2���U�7_X#�Bp��Y ��o��!}��,>�[�N�.�2�}}<�+b�+UL=�F_S6�-ŋ'��}g��F�

jN��W��*�

ʾ��h͸�E]6�R��b5˪|_3UoYؿ�����'

I am not sure if this has something to do with some saml bugfixes regarding signatures, but it simply stopped working after upgrading.

Version

26.2.5

Regression

[x] The issue is a regression

Expected behavior

Being able to log out from all applications via front channel logout in SAML.

Actual behavior

Applications are somehow refusing to logout and throwing different errors.

How to Reproduce?

Have saml clients configured with front channel logout
Log in one of them
Log in the second
Log out on the second
You'll get an error from the first one.

Anything else?

No response