Fix for unable to decrypt SAML assertion

components/org.wso2.carbon.identity.application.authenticator.samlsso/src/main/java/org/wso2/carbon/identity/application/authenticator/samlsso/manager/DefaultSAML2SSOManager.java

@@ -120,6 +120,8 @@
 import javax.crypto.SecretKey;
 import javax.servlet.http.HttpServletRequest;
 
+import static org.apache.commons.collections.CollectionUtils.*;
+import static org.apache.commons.collections.CollectionUtils.isNotEmpty;
 import static org.opensaml.saml.saml2.core.StatusCode.SUCCESS;
 import static org.wso2.carbon.CarbonConstants.AUDIT_LOG;
 
@@ -513,7 +515,7 @@ private void processSSOResponse(HttpServletRequest request, Response samlRespons
         if (SSOUtils.isAssertionEncryptionEnabled(properties)) {
             List<EncryptedAssertion> encryptedAssertions = samlResponse.getEncryptedAssertions();
             EncryptedAssertion encryptedAssertion = null;
-            if (CollectionUtils.isNotEmpty(encryptedAssertions)) {
+            if (isNotEmpty(encryptedAssertions)) {
                 encryptedAssertion = encryptedAssertions.get(0);
                 try {
                     assertion = getDecryptedAssertion(encryptedAssertion);
@@ -523,7 +525,7 @@ private void processSSOResponse(HttpServletRequest request, Response samlRespons
             }
         } else {
             List<Assertion> assertions = samlResponse.getAssertions();
-            if (CollectionUtils.isNotEmpty(assertions)) {
+            if (isNotEmpty(assertions)) {
                 assertion = assertions.get(0);
             }
         }
@@ -1004,7 +1006,7 @@ private void validateAudienceRestriction(Assertion assertion, String issuer) thr
                 List<AudienceRestriction> audienceRestrictions = conditions.getAudienceRestrictions();
                 if (audienceRestrictions != null && !audienceRestrictions.isEmpty()) {
                     for (AudienceRestriction audienceRestriction : audienceRestrictions) {
-                        if (CollectionUtils.isNotEmpty(audienceRestriction.getAudiences())) {
+                        if (isNotEmpty(audienceRestriction.getAudiences())) {
                             boolean audienceFound = false;
                             for (Audience audience : audienceRestriction.getAudiences()) {
                                 if (issuer != null && issuer.equals(audience.getAudienceURI())) {
@@ -1175,7 +1177,7 @@ private Assertion getDecryptedAssertion(EncryptedAssertion encryptedAssertion) t
 
         X509Credential credential = new X509CredentialImpl(tenantDomain, null);
         KeyInfoCredentialResolver keyResolver = new StaticKeyInfoCredentialResolver(credential);
-        EncryptedKey key = encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys().get(0);
+        EncryptedKey key = getEncryptedKey(encryptedAssertion);
         Decrypter decrypter = new Decrypter(null, keyResolver, null);
         SecretKey dkey = (SecretKey) decrypter.decryptKey(key, encryptedAssertion.getEncryptedData().
                 getEncryptionMethod().getAlgorithm());
@@ -1228,4 +1230,14 @@ protected String getIssuer(AuthenticationContext context) {
         return properties.get(IdentityApplicationConstants.Authenticator.SAML2SSO.SP_ENTITY_ID);
     }
 
+    private EncryptedKey getEncryptedKey(EncryptedAssertion encryptedAssertion) throws Exception {
+
+        if (isNotEmpty(encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys())) {
+            return encryptedAssertion.getEncryptedData().getKeyInfo().getEncryptedKeys().get(0);
+        }
+        if (isNotEmpty(encryptedAssertion.getEncryptedKeys())) {
+            return encryptedAssertion.getEncryptedKeys().get(0);
+        }
+        throw new Exception("Can not get the encrypted key");
+    }
 }