diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2BindingBuilder2.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2BindingBuilder2.java
index c377206..0b81eb6 100755
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2BindingBuilder2.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2BindingBuilder2.java
@@ -120,11 +120,12 @@ public class SAML2BindingBuilder2<T extends SAML2BindingBuilder2> {
protected Document document;
public PostBindingBuilder(Document document) throws ProcessingException {
- if (encrypt) encryptDocument(document);
this.document = document;
if (signAssertions) {
signAssertion(document);
}
+ //Per SAML spec 6.2 Encrypting assertions must happen after the assertions are signed
+ if (encrypt) encryptDocument(document);
if (sign) {
signDocument(document);
}
@@ -151,11 +152,12 @@ public class SAML2BindingBuilder2<T extends SAML2BindingBuilder2> {
protected Document document;
public RedirectBindingBuilder(Document document) throws ProcessingException {
- if (encrypt) encryptDocument(document);
this.document = document;
if (signAssertions) {
signAssertion(document);
}
+ //Per SAML spec 6.2 Encrypting assertions must happen after the assertions are signed
+ if (encrypt) encryptDocument(document);
}
public Document getDocument() {
