Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

saml

Describe the bug

Since we have moved to 26.5.0, Keycloaks fails to decrypt the SAML response coming from one of our customers' identity provider.
We are getting that error log

2026-01-07 13:58:26,911 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-6) Uncaught server error: java.lang.IllegalArgumentException: base64 decode failed: Illegal base64 character d

I can provide the encrypted SAML response privately.

Version

26.5.0

Regression

• The issue is a regression

Expected behavior

The SAML response is decrypted as it used to be in the previous versions

Actual behavior

2026-01-07 13:58:26,911 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (executor-thread-6) Uncaught server error: java.lang.IllegalArgumentException: base64 decode failed: Illegal base64 character d

How to Reproduce?

I have the SAML response coming from the customer IDP, I can provide it privately

Anything else?

No response