diff --git a/modules/saml/lib/Message.php b/modules/saml/lib/Message.php
index 3f73f6db9aa4601e927737ece3e3a51cb3007d29..547a9f5f7d4d2fa7b78802f1034539dbae6d599e 100644
--- a/modules/saml/lib/Message.php
+++ b/modules/saml/lib/Message.php
@@ -266,7 +266,7 @@ class sspmod_saml_Message {
 	 * @param SimpleSAML_Configuration $dstMetadata  The metadata of the recipient (SP).
 	 * @return XMLSecurityKey  The decryption key.
 	 */
-	private static function getDecryptionKey(SimpleSAML_Configuration $srcMetadata,
+	public static function getDecryptionKey(SimpleSAML_Configuration $srcMetadata,
 		SimpleSAML_Configuration $dstMetadata) {
 
 		$sharedKey = $srcMetadata->getString('sharedkey', NULL);
diff --git a/modules/saml/www/sp/saml2-logout.php b/modules/saml/www/sp/saml2-logout.php
index bf3cb05ac926ba6ab5bf33ac919d320c80e75512..85e42f588f44099c61c9d32b4a045b4eac392729 100644
--- a/modules/saml/www/sp/saml2-logout.php
+++ b/modules/saml/www/sp/saml2-logout.php
@@ -64,7 +64,7 @@ if ($message instanceof SAML2_LogoutResponse) {
 
 	if ($message->isNameIdEncrypted()) {
 		try {
-			$key = self::getDecryptionKey($idpMetadata, $spMetadata);
+			$key = sspmod_saml_Message::getDecryptionKey($idpMetadata, $spMetadata);
 		} catch (Exception $e) {
 			throw new SimpleSAML_Error_Exception('Error decrypting NameID: ' . $e->getMessage());
 		}