Java + SAML: Illegal Key Size


When attempting to decrypt the SAML response from IdP, the following exception occurs:- Illegal key size
Original Exception was Illegal key size
	at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(
	at org.opensaml.xml.encryption.Decrypter.decryptUsingResolvedEncryptedKey(
	at org.opensaml.xml.encryption.Decrypter.decryptDataToDOM(
	at org.opensaml.xml.encryption.Decrypter.decryptDataToList(
	at org.opensaml.xml.encryption.Decrypter.decryptData(
	at org.opensaml.saml2.encryption.Decrypter.decryptData(
	at org.opensaml.saml2.encryption.Decrypter.decrypt(


When inspecting the SAML response payload below, the data is encrypted with AES-256:-

<?xml version="1.0" encoding="UTF-8"?>
        IssueInstant="2016-02-18T15:28:43.473Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs-server/adfs/services/trust</Issuer>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData Type="" xmlns:xenc="">
            <xenc:EncryptionMethod Algorithm=""/>
            <KeyInfo xmlns="">
                <e:EncryptedKey xmlns:e="">
                    <e:EncryptionMethod Algorithm="">
                        <DigestMethod Algorithm=""/>
                        <ds:X509Data xmlns:ds="">

By default, Java’s keysize is limited to 128-bit key due to US export laws and a few countries’ import laws.

To fix this…

  • Determine the Java version.
  • Download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files – Java 7 or Java 8.
  • Inflate the zip file.
  • Copy local_policy.jar and US_export_policy.jar to [JAVA_HOME]/jre/lib/security.

One thought on “Java + SAML: Illegal Key Size

  1. Thanks for the help; this post was the first result when I searched on the exception in question, and your suggestion was exactly what I needed to do to solve my problem. Plus I like your blog name 🙂

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s