WIP: Verify Metadata Signatures

This adds the RelyingPartyRegistrationsDecoder component
which allows configuration with signature verification credentials.
It also introduces a caching RelyingPartyRegistration
implementation that uses it.

Issue spring-projectsgh-12116

Author: jzheaux

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/CachingRelyingPartyRegistrationRepository.java

@@ -0,0 +1,75 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.saml2.provider.service.registration;
+
+import java.io.InputStream;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.concurrent.Callable;
+
+import org.springframework.cache.Cache;
+import org.springframework.cache.concurrent.ConcurrentMapCache;
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.core.io.DefaultResourceLoader;
+import org.springframework.core.io.ResourceLoader;
+import org.springframework.util.Assert;
+
+public final class CachingRelyingPartyRegistrationRepository
+		implements RelyingPartyRegistrationRepository, Iterable<RelyingPartyRegistration> {
+
+	private final ResourceLoader resourceLoader = new DefaultResourceLoader();
+
+	private final Callable<Map<String, RelyingPartyRegistration>> registrationLoader;
+
+	private Cache cache = new ConcurrentMapCache("registrations");
+
+	private Converter<RelyingPartyRegistration.Builder, RelyingPartyRegistration> relyingPartyRegistrationBuilder = RelyingPartyRegistration.Builder::build;
+
+	public CachingRelyingPartyRegistrationRepository(String metadataLocation,
+			RelyingPartyRegistrationsDecoder decoder) {
+		this.registrationLoader = () -> {
+			Map<String, RelyingPartyRegistration> registrations = new HashMap<>();
+			try (InputStream source = this.resourceLoader.getResource(metadataLocation).getInputStream()) {
+				for (RelyingPartyRegistration registration : decoder.decode(source)) {
+					registrations.put(registration.getRegistrationId(), registration);
+				}
+				return registrations;
+			}
+		};
+	}
+
+	@Override
+	public Iterator<RelyingPartyRegistration> iterator() {
+		return registrations().values().iterator();
+	}
+
+	@Override
+	public RelyingPartyRegistration findByRegistrationId(String registrationId) {
+		return registrations().get(registrationId);
+	}
+
+	private Map<String, RelyingPartyRegistration> registrations() {
+		return this.cache.get("registrations", this.registrationLoader);
+	}
+
+	public void setCache(Cache cache) {
+		Assert.notNull(cache, "cache cannot be null");
+		this.cache = cache;
+	}
+
+}

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/OpenSamlRelyingPartyRegistrationBuilderHttpMessageConverter.java

@@ -62,13 +62,13 @@ public class OpenSamlRelyingPartyRegistrationBuilderHttpMessageConverter
 		OpenSamlInitializationService.initialize();
 	}
 
-	private final OpenSamlMetadataRelyingPartyRegistrationConverter converter;
+	private final OpenSamlRelyingPartyRegistrationsDecoder converter;
 
 	/**
 	 * Creates a {@link OpenSamlRelyingPartyRegistrationBuilderHttpMessageConverter}
 	 */
 	public OpenSamlRelyingPartyRegistrationBuilderHttpMessageConverter() {
-		this.converter = new OpenSamlMetadataRelyingPartyRegistrationConverter();
+		this.converter = new OpenSamlRelyingPartyRegistrationsDecoder();
 	}
 
 	@Override
@@ -89,7 +89,7 @@ public List<MediaType> getSupportedMediaTypes() {
 	@Override
 	public RelyingPartyRegistration.Builder read(Class<? extends RelyingPartyRegistration.Builder> clazz,
 			HttpInputMessage inputMessage) throws IOException, HttpMessageNotReadableException {
-		return this.converter.convert(inputMessage.getBody()).iterator().next();
+		return this.converter.decode(inputMessage.getBody()).iterator().next().mutate();
 	}
 
 	@Override

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/OpenSamlMetadataRelyingPartyRegistrationConverter.java renamed to saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/OpenSamlRelyingPartyRegistrationsDecoder.java

@@ -23,6 +23,7 @@
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.List;
+import java.util.Set;
 
 import net.shibboleth.utilities.java.support.xml.ParserPool;
 import org.opensaml.core.config.ConfigurationService;
@@ -31,23 +32,34 @@
 import org.opensaml.core.xml.io.Unmarshaller;
 import org.opensaml.saml.common.xml.SAMLConstants;
 import org.opensaml.saml.ext.saml2alg.SigningMethod;
+import org.opensaml.saml.metadata.resolver.filter.MetadataFilter;
+import org.opensaml.saml.metadata.resolver.filter.MetadataFilterContext;
+import org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter;
 import org.opensaml.saml.saml2.metadata.EntitiesDescriptor;
 import org.opensaml.saml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml.saml2.metadata.Extensions;
 import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
 import org.opensaml.saml.saml2.metadata.KeyDescriptor;
 import org.opensaml.saml.saml2.metadata.SingleLogoutService;
 import org.opensaml.saml.saml2.metadata.SingleSignOnService;
+import org.opensaml.security.credential.Credential;
+import org.opensaml.security.credential.CredentialResolver;
 import org.opensaml.security.credential.UsageType;
+import org.opensaml.security.credential.impl.CollectionCredentialResolver;
+import org.opensaml.xmlsec.config.impl.DefaultSecurityConfigurationBootstrap;
 import org.opensaml.xmlsec.keyinfo.KeyInfoSupport;
+import org.opensaml.xmlsec.signature.support.SignatureTrustEngine;
+import org.opensaml.xmlsec.signature.support.impl.ExplicitKeySignatureTrustEngine;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 
+import org.springframework.core.convert.converter.Converter;
 import org.springframework.security.saml2.Saml2Exception;
 import org.springframework.security.saml2.core.OpenSamlInitializationService;
 import org.springframework.security.saml2.core.Saml2X509Credential;
+import org.springframework.util.Assert;
 
-class OpenSamlMetadataRelyingPartyRegistrationConverter {
+public final class OpenSamlRelyingPartyRegistrationsDecoder implements RelyingPartyRegistrationsDecoder {
 
 	static {
 		OpenSamlInitializationService.initialize();
@@ -57,12 +69,32 @@ class OpenSamlMetadataRelyingPartyRegistrationConverter {
 
 	private final ParserPool parserPool;
 
+	private final MetadataFilter filter;
+
+	private Converter<RelyingPartyRegistration.Builder, RelyingPartyRegistration> relyingPartyRegistrationBuilder = RelyingPartyRegistration.Builder::build;
+
 	/**
-	 * Creates a {@link OpenSamlMetadataRelyingPartyRegistrationConverter}
+	 * Creates a {@link OpenSamlRelyingPartyRegistrationsDecoder}
 	 */
-	OpenSamlMetadataRelyingPartyRegistrationConverter() {
+	public OpenSamlRelyingPartyRegistrationsDecoder() {
+		this((xmlObject, metadataFilterContent) -> xmlObject);
+	}
+
+	public OpenSamlRelyingPartyRegistrationsDecoder(Set<Credential> verificationCredentials) {
+		this(metadataFilter(verificationCredentials));
+	}
+
+	static MetadataFilter metadataFilter(Set<Credential> credentials) {
+		CredentialResolver credentialsResolver = new CollectionCredentialResolver(credentials);
+		SignatureTrustEngine engine = new ExplicitKeySignatureTrustEngine(credentialsResolver,
+				DefaultSecurityConfigurationBootstrap.buildBasicInlineKeyInfoCredentialResolver());
+		return new SignatureValidationFilter(engine);
+	}
+
+	OpenSamlRelyingPartyRegistrationsDecoder(MetadataFilter filter) {
 		this.registry = ConfigurationService.get(XMLObjectProviderRegistry.class);
 		this.parserPool = this.registry.getParserPool();
+		this.filter = filter;
 	}
 
 	OpenSamlRelyingPartyRegistration.Builder convert(EntityDescriptor descriptor) {
@@ -152,24 +184,25 @@ else if (singleLogoutService.getBinding().equals(Saml2MessageBinding.REDIRECT.ge
 		return builder;
 	}
 
-	Collection<RelyingPartyRegistration.Builder> convert(InputStream inputStream) {
-		List<RelyingPartyRegistration.Builder> builders = new ArrayList<>();
+	@Override
+	public Collection<RelyingPartyRegistration> decode(InputStream inputStream) {
+		List<RelyingPartyRegistration> registrations = new ArrayList<>();
 		XMLObject xmlObject = xmlObject(inputStream);
 		if (xmlObject instanceof EntitiesDescriptor) {
 			EntitiesDescriptor descriptors = (EntitiesDescriptor) xmlObject;
 			for (EntityDescriptor descriptor : descriptors.getEntityDescriptors()) {
 				if (descriptor.getIDPSSODescriptor(SAMLConstants.SAML20P_NS) != null) {
-					builders.add(convert(descriptor));
+					registrations.add(this.relyingPartyRegistrationBuilder.convert(convert(descriptor)));
 				}
 			}
-			if (builders.isEmpty()) {
+			if (registrations.isEmpty()) {
 				throw new Saml2Exception("Metadata contains no IDPSSODescriptor elements");
 			}
-			return builders;
+			return registrations;
 		}
 		if (xmlObject instanceof EntityDescriptor) {
 			EntityDescriptor descriptor = (EntityDescriptor) xmlObject;
-			return Arrays.asList(convert(descriptor));
+			return Arrays.asList(this.relyingPartyRegistrationBuilder.convert(convert(descriptor)));
 		}
 		throw new Saml2Exception("Unsupported element of type " + xmlObject.getClass());
 	}
@@ -202,7 +235,7 @@ private XMLObject xmlObject(InputStream inputStream) {
 			throw new Saml2Exception("Unsupported element of type " + element.getTagName());
 		}
 		try {
-			return unmarshaller.unmarshall(element);
+			return this.filter.filter(unmarshaller.unmarshall(element), new MetadataFilterContext());
 		}
 		catch (Exception ex) {
 			throw new Saml2Exception(ex);
@@ -225,4 +258,10 @@ private <T> List<T> signingMethods(Extensions extensions) {
 		return new ArrayList<>();
 	}
 
+	public void setRelyingPartyRegistrationBuilder(
+			Converter<RelyingPartyRegistration.Builder, RelyingPartyRegistration> relyingPartyRegistrationBuilder) {
+		Assert.notNull(relyingPartyRegistrationBuilder, "relyingPartyRegistrationBuilder cannot be null");
+		this.relyingPartyRegistrationBuilder = relyingPartyRegistrationBuilder;
+	}
+
 }

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistrations.java

@@ -18,6 +18,7 @@
 
 import java.io.IOException;
 import java.io.InputStream;
+import java.util.ArrayList;
 import java.util.Collection;
 
 import org.springframework.core.io.DefaultResourceLoader;
@@ -34,7 +35,7 @@
  */
 public final class RelyingPartyRegistrations {
 
-	private static final OpenSamlMetadataRelyingPartyRegistrationConverter relyingPartyRegistrationConverter = new OpenSamlMetadataRelyingPartyRegistrationConverter();
+	private static final OpenSamlRelyingPartyRegistrationsDecoder relyingPartyRegistrationConverter = new OpenSamlRelyingPartyRegistrationsDecoder();
 
 	private static final ResourceLoader resourceLoader = new DefaultResourceLoader();
 
@@ -213,7 +214,11 @@ public static Collection<RelyingPartyRegistration.Builder> collectionFromMetadat
 	 * @since 5.7
 	 */
 	public static Collection<RelyingPartyRegistration.Builder> collectionFromMetadata(InputStream source) {
-		return relyingPartyRegistrationConverter.convert(source);
+		Collection<RelyingPartyRegistration.Builder> builders = new ArrayList<>();
+		for (RelyingPartyRegistration registration : relyingPartyRegistrationConverter.decode(source)) {
+			builders.add(registration.mutate());
+		}
+		return builders;
 	}
 
 }

saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/registration/RelyingPartyRegistrationsDecoder.java

@@ -0,0 +1,26 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.saml2.provider.service.registration;
+
+import java.io.InputStream;
+import java.util.Collection;
+
+public interface RelyingPartyRegistrationsDecoder {
+
+	Collection<RelyingPartyRegistration> decode(InputStream entities);
+
+}

saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/registration/OpenSamlMetadataRelyingPartyRegistrationConverterTests.java renamed to saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/provider/service/registration/OpenSamlRelyingPartyRegistrationsDecoderTests.java

@@ -37,7 +37,7 @@
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 
-public class OpenSamlMetadataRelyingPartyRegistrationConverterTests {
+public class OpenSamlRelyingPartyRegistrationsDecoderTests {
 
 	private static final String CERTIFICATE = "MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYDVQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwXc2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0BwaXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAaBgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQDDBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWWRDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQnX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gphiJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduOnRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+vZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLuxbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6zV9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk";
 
@@ -62,7 +62,7 @@ public class OpenSamlMetadataRelyingPartyRegistrationConverterTests {
 	private static final String SINGLE_SIGN_ON_SERVICE_TEMPLATE = "<md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" "
 			+ "Location=\"sso-location\"/>";
 
-	private OpenSamlMetadataRelyingPartyRegistrationConverter converter = new OpenSamlMetadataRelyingPartyRegistrationConverter();
+	private OpenSamlRelyingPartyRegistrationsDecoder converter = new OpenSamlRelyingPartyRegistrationsDecoder();
 
 	private String metadata;
 
@@ -78,8 +78,8 @@ public void setup() throws Exception {
 	@Test
 	public void convertWhenDefaultsThenAssertingPartyInstanceOfOpenSaml() throws Exception {
 		try (InputStream source = new ByteArrayInputStream(this.metadata.getBytes(StandardCharsets.UTF_8))) {
-			this.converter.convert(source)
-				.forEach((registration) -> assertThat(registration.build().getAssertingPartyDetails())
+			this.converter.decode(source)
+				.forEach((registration) -> assertThat(registration.getAssertingPartyDetails())
 					.isInstanceOf(OpenSamlAssertingPartyDetails.class));
 		}
 	}
@@ -88,15 +88,15 @@ public void convertWhenDefaultsThenAssertingPartyInstanceOfOpenSaml() throws Exc
 	public void readWhenMissingIDPSSODescriptorThenException() {
 		String payload = String.format(ENTITY_DESCRIPTOR_TEMPLATE, "");
 		InputStream inputStream = new ByteArrayInputStream(payload.getBytes());
-		assertThatExceptionOfType(Saml2Exception.class).isThrownBy(() -> this.converter.convert(inputStream))
+		assertThatExceptionOfType(Saml2Exception.class).isThrownBy(() -> this.converter.decode(inputStream))
 			.withMessageContaining("Metadata response is missing the necessary IDPSSODescriptor element");
 	}
 
 	@Test
 	public void readWhenMissingVerificationKeyThenException() {
 		String payload = String.format(ENTITY_DESCRIPTOR_TEMPLATE, String.format(IDP_SSO_DESCRIPTOR_TEMPLATE, ""));
 		InputStream inputStream = new ByteArrayInputStream(payload.getBytes());
-		assertThatExceptionOfType(Saml2Exception.class).isThrownBy(() -> this.converter.convert(inputStream))
+		assertThatExceptionOfType(Saml2Exception.class).isThrownBy(() -> this.converter.decode(inputStream))
 			.withMessageContaining(
 					"Metadata response is missing verification certificates, necessary for verifying SAML assertions");
 	}
@@ -106,7 +106,7 @@ public void readWhenMissingSingleSignOnServiceThenException() {
 		String payload = String.format(ENTITY_DESCRIPTOR_TEMPLATE,
 				String.format(IDP_SSO_DESCRIPTOR_TEMPLATE, String.format(KEY_DESCRIPTOR_TEMPLATE, "use=\"signing\"")));
 		InputStream inputStream = new ByteArrayInputStream(payload.getBytes());
-		assertThatExceptionOfType(Saml2Exception.class).isThrownBy(() -> this.converter.convert(inputStream))
+		assertThatExceptionOfType(Saml2Exception.class).isThrownBy(() -> this.converter.decode(inputStream))
 			.withMessageContaining(
 					"Metadata response is missing a SingleSignOnService, necessary for sending AuthnRequests");
 	}
@@ -119,10 +119,9 @@ public void readWhenDescriptorFullySpecifiedThenConfigures() throws Exception {
 								+ String.format(KEY_DESCRIPTOR_TEMPLATE, "use=\"encryption\"") + EXTENSIONS_TEMPLATE
 								+ String.format(SINGLE_SIGN_ON_SERVICE_TEMPLATE)));
 		InputStream inputStream = new ByteArrayInputStream(payload.getBytes());
-		RelyingPartyRegistration.AssertingPartyDetails details = this.converter.convert(inputStream)
+		RelyingPartyRegistration.AssertingPartyDetails details = this.converter.decode(inputStream)
 			.iterator()
 			.next()
-			.build()
 			.getAssertingPartyDetails();
 		assertThat(details.getWantAuthnRequestsSigned()).isFalse();
 		assertThat(details.getSigningAlgorithms()).containsExactly(SignatureConstants.ALGO_ID_DIGEST_SHA512);
@@ -152,10 +151,9 @@ public void readWhenEntitiesDescriptorThenConfigures() throws Exception {
 										+ String.format(KEY_DESCRIPTOR_TEMPLATE, "use=\"encryption\"")
 										+ String.format(SINGLE_SIGN_ON_SERVICE_TEMPLATE))));
 		InputStream inputStream = new ByteArrayInputStream(payload.getBytes());
-		RelyingPartyRegistration.AssertingPartyDetails details = this.converter.convert(inputStream)
+		RelyingPartyRegistration.AssertingPartyDetails details = this.converter.decode(inputStream)
 			.iterator()
 			.next()
-			.build()
 			.getAssertingPartyDetails();
 		assertThat(details.getWantAuthnRequestsSigned()).isFalse();
 		assertThat(details.getSingleSignOnServiceLocation()).isEqualTo("sso-location");
@@ -174,10 +172,9 @@ public void readWhenKeyDescriptorHasNoUseThenConfiguresBothKeyTypes() throws Exc
 		String payload = String.format(ENTITY_DESCRIPTOR_TEMPLATE, String.format(IDP_SSO_DESCRIPTOR_TEMPLATE,
 				String.format(KEY_DESCRIPTOR_TEMPLATE, "") + String.format(SINGLE_SIGN_ON_SERVICE_TEMPLATE)));
 		InputStream inputStream = new ByteArrayInputStream(payload.getBytes());
-		RelyingPartyRegistration.AssertingPartyDetails details = this.converter.convert(inputStream)
+		RelyingPartyRegistration.AssertingPartyDetails details = this.converter.decode(inputStream)
 			.iterator()
 			.next()
-			.build()
 			.getAssertingPartyDetails();
 		assertThat(details.getVerificationX509Credentials().iterator().next().getCertificate())
 			.isEqualTo(x509Certificate(CERTIFICATE));
@@ -201,7 +198,7 @@ X509Certificate x509Certificate(String data) {
 	public void readWhenUnsupportedElementThenSaml2Exception() {
 		String payload = "<saml2:Assertion xmlns:saml2=\"https://some.endpoint\"/>";
 		InputStream inputStream = new ByteArrayInputStream(payload.getBytes());
-		assertThatExceptionOfType(Saml2Exception.class).isThrownBy(() -> this.converter.convert(inputStream))
+		assertThatExceptionOfType(Saml2Exception.class).isThrownBy(() -> this.converter.decode(inputStream))
 			.withMessage("Unsupported element of type saml2:Assertion");
 	}