diff --git a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
index 4da24ccaeabf..120da58d27a7 100755
--- a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
@@ -531,7 +531,7 @@ protected BrokeredIdentityContext extractIdentity(AccessTokenResponse tokenRespo
 
         identity.setEmail(email);
 
-        identity.setBrokerUserId(issuer + "." + id);
+        identity.setBrokerUserId(Base64Url.encode(issuer.getBytes(StandardCharsets.UTF_8)) + "." + id);
 
         if (preferredUsername == null) {
             preferredUsername = email;
@@ -543,7 +543,7 @@ protected BrokeredIdentityContext extractIdentity(AccessTokenResponse tokenRespo
 
         identity.setUsername(preferredUsername);
         if (tokenResponse != null && tokenResponse.getSessionState() != null) {
-            identity.setBrokerSessionId(issuer + "." + tokenResponse.getSessionState());
+            identity.setBrokerSessionId(Base64Url.encode(issuer.getBytes(StandardCharsets.UTF_8)) + "." + tokenResponse.getSessionState());
         }
         if (tokenResponse != null) identity.getContextData().put(FEDERATED_ACCESS_TOKEN_RESPONSE, tokenResponse);
         if (tokenResponse != null) processAccessTokenResponse(identity, tokenResponse);
diff --git a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java
index 6499312da16c..e79855a4e7d9 100755
--- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java
@@ -23,6 +23,7 @@
 
 import org.jboss.logging.Logger;
 import org.jboss.resteasy.reactive.NoCache;
+import org.keycloak.common.util.Base64Url;
 import org.keycloak.http.HttpRequest;
 import org.keycloak.OAuth2Constants;
 import org.keycloak.OAuthErrorException;
@@ -74,6 +75,7 @@
 import org.keycloak.sessions.RootAuthenticationSessionModel;
 import org.keycloak.util.TokenUtil;
 
+import java.nio.charset.StandardCharsets;
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
@@ -569,11 +571,13 @@ public Response backchannelLogout() {
 
         BackchannelLogoutResponse backchannelLogoutResponse;
 
+        String issuerBase64 = Base64Url.encode(logoutToken.getIssuer().getBytes(StandardCharsets.UTF_8));
+
         if (logoutToken.getSid() != null) {
-            backchannelLogoutResponse = backchannelLogoutWithSessionId(logoutToken.getIssuer() + "." + logoutToken.getSid(),
-                    logoutOfflineSessions, logoutToken.getIssuer() + "." + logoutToken.getSubject());
+            backchannelLogoutResponse = backchannelLogoutWithSessionId(issuerBase64 + "." + logoutToken.getSid(),
+                    logoutOfflineSessions, issuerBase64 + "." + logoutToken.getSubject());
         } else {
-            backchannelLogoutResponse = backchannelLogoutFederatedUserId(logoutToken.getIssuer() + "." + logoutToken.getSubject(),
+            backchannelLogoutResponse = backchannelLogoutFederatedUserId(issuerBase64 + "." + logoutToken.getSubject(),
                     logoutOfflineSessions);
         }