diff --git a/modules/saml/www/sp/saml2-logout.php b/modules/saml/www/sp/saml2-logout.php
index 2d7d69c103b59734e754fe9588fb64b9497a0aa5..99f605569663f160ba9d44fdcd1d79a04b1e0d87 100644
--- a/modules/saml/www/sp/saml2-logout.php
+++ b/modules/saml/www/sp/saml2-logout.php
@@ -64,7 +64,7 @@ if ($message instanceof SAML2_LogoutResponse) {
 
 	if ($message->isNameIdEncrypted()) {
 		try {
-			$keys = sspmod_saml_Message::getDecryptionKeys($srcMetadata, $dstMetadata);
+			$keys = sspmod_saml_Message::getDecryptionKeys($idpMetadata, $spMetadata);
 		} catch (Exception $e) {
 			throw new SimpleSAML_Error_Exception('Error decrypting NameID: ' . $e->getMessage());
 		}
@@ -74,12 +74,16 @@ if ($message instanceof SAML2_LogoutResponse) {
 			try {
 				$message->decryptNameId($key);
 				SimpleSAML_Logger::debug('Decryption with key #' . $i . ' succeeded.');
+				$lastException = NULL;
+				break;
 			} catch (Exception $e) {
 				SimpleSAML_Logger::debug('Decryption with key #' . $i . ' failed with exception: ' . $e->getMessage());
 				$lastException = $e;
 			}
 		}
-		throw $lastException;
+		if ($lastException !== NULL) {
+			throw $lastException;
+		}
 	}
 
 	$nameId = $message->getNameId();