diff --git a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java
index 0ad095bf203..05cd076b5c4 100644
--- a/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java
+++ b/adapters/saml/core/src/main/java/org/keycloak/adapters/saml/profile/AbstractSamlAuthenticationHandler.java
@@ -148,6 +148,10 @@ public abstract class AbstractSamlAuthenticationHandler implements SamlAuthentic
             postBinding = true;
             holder = SAMLRequestParser.parseRequestPostBinding(samlRequest);
         }
+        if (holder == null) {
+            log.error("Error parsing SAML document");
+            return AuthOutcome.FAILED;
+        }
         RequestAbstractType requestAbstractType = (RequestAbstractType) holder.getSamlObject();
         if (! destinationValidator.validate(requestUri, requestAbstractType.getDestination())) {
             log.error("expected destination '" + requestUri + "' got '" + requestAbstractType.getDestination() + "'");
@@ -188,6 +192,24 @@ public abstract class AbstractSamlAuthenticationHandler implements SamlAuthentic
             postBinding = true;
             holder = extractPostBindingResponse(samlResponse);
         }
+        if (holder == null) {
+            log.error("Error parsing SAML document");
+            challenge = new AuthChallenge() {
+                @Override
+                public boolean challenge(HttpFacade exchange) {
+                    SamlAuthenticationError error = new SamlAuthenticationError(SamlAuthenticationError.Reason.EXTRACTION_FAILURE);
+                    exchange.getRequest().setError(error);
+                    exchange.getResponse().sendError(403);
+                    return true;
+                }
+
+                @Override
+                public int getResponseCode() {
+                    return 403;
+                }
+            };
+            return AuthOutcome.FAILED;
+        }
         final StatusResponseType statusResponse = (StatusResponseType) holder.getSamlObject();
         // validate destination
         if (! destinationValidator.validate(requestUri, statusResponse.getDestination())) {
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/SamlSignatureTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/SamlSignatureTest.java
index 65c05800920..6d6ee3e5eac 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/SamlSignatureTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/SamlSignatureTest.java
@@ -313,6 +313,7 @@ public class SamlSignatureTest extends AbstractAdapterTest {
         assertThat(response, Matchers.bodyHC(
           anyOf(
             containsString("INVALID_SIGNATURE"),
+            containsString("EXTRACTION_FAILURE"),
             containsString("There was an error")
           )
         ));