During decryption, encrypted assertions lose the context of the parent (root) document. This is problematic if you need to access the parent document for any validation purposes of the authentication, such as to check the InResponseTo identifier.
The offending code:
// Decrypt assertions
if (response.getEncryptedAssertions().size() > 0) {
assertionList = new ArrayList<Assertion>(response.getAssertions().size() + response.getEncryptedAssertions().size());
assertionList.addAll(response.getAssertions());
List<EncryptedAssertion> encryptedAssertionList = response.getEncryptedAssertions();
for (EncryptedAssertion ea : encryptedAssertionList) {
try {
Assert.notNull(context.getLocalDecrypter(), "Can't decrypt Assertion, no decrypter is set in the context");
log.debug("Decrypting assertion");
Assertion decryptedAssertion = context.getLocalDecrypter().decrypt(ea);
assertionList.add(decryptedAssertion);
} catch (DecryptionException e) {
log.debug("Decryption of received assertion failed, assertion will be skipped", e);
}
}
}
After the assertion is decrypted, the parent document reference should be set.
During decryption, encrypted assertions lose the context of the parent (root) document. This is problematic if you need to access the parent document for any validation purposes of the authentication, such as to check the InResponseTo identifier.
The offending code:
After the assertion is decrypted, the parent document reference should be set.