By default, the cryptography strength in Java is limited due to legal reasons. This leads to the issue that encrypted SAML-responses cannot be handled.

To remove these limitations, install the JCE Unlimited Strength Jurisdiction Policy Files as detailed in steps 1-6 of this Atlassian Knowledge Base Article , then restart your Atlassian application instance.

This process has changed with Java version Java 8 Update 151 (8u151). If you are using this or a higher version, set the new crypto.policy Security property  in the java.security file. By default, the property will be undefined. If the property is undefined and the legacy JCE jurisdiction files don't exist in the legacy lib/security directory, then the default cryptographic level will remain at 'limited'. To configure the JDK to use unlimited cryptography, set the crypto.policy to a value of 'unlimited'

See https://www.java.com/en/download/faq/release_changes.xml for more details.