diff --git a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java index 4dd9fdf278e..6bb3e788a95 100644 --- a/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java +++ b/plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java @@ -55,9 +55,10 @@ import org.opensaml.saml2.core.Issuer; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.encryption.Decrypter; +import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver; import org.opensaml.xml.ConfigurationException; +import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver; import org.opensaml.xml.encryption.DecryptionException; -import org.opensaml.xml.encryption.EncryptedKeyResolver; import org.opensaml.xml.encryption.InlineEncryptedKeyResolver; import org.opensaml.xml.io.UnmarshallingException; import org.opensaml.xml.security.SecurityHelper; @@ -253,7 +254,9 @@ public class SAML2LoginAPIAuthenticatorCmd extends BaseCmd implements APIAuthent Credential credential = SecurityHelper.getSimpleCredential(idpMetadata.getEncryptionCertificate().getPublicKey(), spMetadata.getKeyPair().getPrivate()); StaticKeyInfoCredentialResolver keyInfoResolver = new StaticKeyInfoCredentialResolver(credential); - EncryptedKeyResolver keyResolver = new InlineEncryptedKeyResolver(); + ChainingEncryptedKeyResolver keyResolver = new ChainingEncryptedKeyResolver(); + keyResolver.getResolverChain().add(new InlineEncryptedKeyResolver()); + keyResolver.getResolverChain().add(new EncryptedElementTypeEncryptedKeyResolver()); Decrypter decrypter = new Decrypter(null, keyInfoResolver, keyResolver); decrypter.setRootInNewDocument(true); List encryptedAssertions = processedSAMLResponse.getEncryptedAssertions();