diff --git a/docs/simplesamlphp-reference-idp-remote.md b/docs/simplesamlphp-reference-idp-remote.md
index db15941e9688db0f75dd129b176aef3aeb2aa285..eccba78c1471f7a3e626a2476d13231d22d688f6 100644
--- a/docs/simplesamlphp-reference-idp-remote.md
+++ b/docs/simplesamlphp-reference-idp-remote.md
@@ -226,8 +226,17 @@ There are two modes of encryption supported by SimpleSAMLphp. One is symmetric e
: Note that this option overrides the option with the same name in the SP configuration.
`sharedkey`
-: Symmetric key which should be used for decryption. This should be a 128-bit key. If this option is not specified, public key encryption will be used instead.
+: Symmetric key which should be used for decryption. This should be a 128-bit, 192-bit or 256-bit key based on the algorithm used. If this option is not specified, public key encryption will be used instead.
+`sharedkey_algorithm`
+: Algorithm which should be used for decryption. Possible values are:
+
+ * http://www.w3.org/2001/04/xmlenc#aes128-cbc
+ * http://www.w3.org/2001/04/xmlenc#aes192-cbc
+ * http://www.w3.org/2001/04/xmlenc#aes256-cbc
+ * http://www.w3.org/2009/xmlenc11#aes128-gcm
+ * http://www.w3.org/2009/xmlenc11#aes192-gcm
+ * http://www.w3.org/2009/xmlenc11#aes256-gcm
### Fields for signing and validating messages
diff --git a/docs/simplesamlphp-reference-sp-remote.md b/docs/simplesamlphp-reference-sp-remote.md
index 345cf4cbae069cf4cbc9999e50ea0b9d6f7cf40f..c24914512c052f8c98c51d78f00587aa8923332b 100644
--- a/docs/simplesamlphp-reference-sp-remote.md
+++ b/docs/simplesamlphp-reference-sp-remote.md
@@ -336,9 +336,18 @@ of the SP.
`sharedkey`
: Symmetric key which should be used for encryption. This should be a
- 128-bit key. If this option is not specified, public key encryption
- will be used instead.
-
+ 128-bit, 192-bit or 256-bit key based on the algorithm used.
+ If this option is not specified, public key encryption will be used instead.
+
+`sharedkey_algorithm`
+: Algorithm which should be used for encryption. Possible values are:
+
+ * http://www.w3.org/2001/04/xmlenc#aes128-cbc
+ * http://www.w3.org/2001/04/xmlenc#aes192-cbc
+ * http://www.w3.org/2001/04/xmlenc#aes256-cbc
+ * http://www.w3.org/2009/xmlenc11#aes128-gcm
+ * http://www.w3.org/2009/xmlenc11#aes192-gcm
+ * http://www.w3.org/2009/xmlenc11#aes256-gcm
### Fields for signing and validating messages
diff --git a/modules/saml/lib/IdP/SAML2.php b/modules/saml/lib/IdP/SAML2.php
index 56026c04a335a7184172b2b26141a9098ee797cc..ec8179d03e1011f95901e6066b55f7cc4548a501 100644
--- a/modules/saml/lib/IdP/SAML2.php
+++ b/modules/saml/lib/IdP/SAML2.php
@@ -1333,7 +1333,12 @@ class SAML2
$sharedKey = $spMetadata->getString('sharedkey', null);
if ($sharedKey !== null) {
- $key = new XMLSecurityKey(XMLSecurityKey::AES128_CBC);
+ $algo = $spMetadata->getString('sharedkey_algorithm', null);
+ if ($algo === null) {
+ $algo = $idpMetadata->getString('sharedkey_algorithm');
+ }
+
+ $key = new XMLSecurityKey($algo);
$key->loadKey($sharedKey);
} else {
$keys = $spMetadata->getPublicKeys('encryption', true);
diff --git a/modules/saml/lib/Message.php b/modules/saml/lib/Message.php
index 2513d14c0cf793ef00648ce2930bf225f9d1068e..7af3be74b3dfd76c5190aad8ad9244451f41797c 100644
--- a/modules/saml/lib/Message.php
+++ b/modules/saml/lib/Message.php
@@ -300,16 +300,28 @@ class Message
*
* @param \SimpleSAML\Configuration $srcMetadata The metadata of the sender (IdP).
* @param \SimpleSAML\Configuration $dstMetadata The metadata of the recipient (SP).
+ * @psalm-suppress UndefinedDocblockClass This can be removed after upgrading to saml2v5
+ * @param \SimpleSAML\SAML2\XML\xenc\EncryptionMethod|null $encryptionMethod The EncryptionMethod from the assertion.
*
* @return array Array of decryption keys.
*/
public static function getDecryptionKeys(
Configuration $srcMetadata,
- Configuration $dstMetadata
+ Configuration $dstMetadata,
+ $encryptionMethod = null
) {
$sharedKey = $srcMetadata->getString('sharedkey', null);
if ($sharedKey !== null) {
- $key = new XMLSecurityKey(XMLSecurityKey::AES128_CBC);
+ if ($encryptionMethod !== null) {
+ $algo = $encryptionMethod->getAlgorithm();
+ } else {
+ $algo = $srcMetadata->getString('sharedkey_algorithm', null);
+ if ($algo === null) {
+ $algo = $dstMetadata->getString('sharedkey_algorithm');
+ }
+ }
+
+ $key = new XMLSecurityKey($algo);
$key->loadKey($sharedKey);
return [$key];
}
@@ -400,7 +412,12 @@ class Message
}
try {
- $keys = self::getDecryptionKeys($srcMetadata, $dstMetadata);
+ // @todo Enable this code for saml2v5 to automatically determine encryption algorithm
+ //$encryptionMethod = $assertion->getEncryptedData()->getEncryptionMethod();
+ //$keys = self::getDecryptionKeys($srcMetadata, $dstMetadata, $encryptionMethod);
+
+ $encryptionMethod = null;
+ $keys = self::getDecryptionKeys($srcMetadata, $dstMetadata, $encryptionMethod);
} catch (\Exception $e) {
throw new SSP_Error\Exception('Error decrypting assertion: ' . $e->getMessage());
}