diff --git a/adapters/oidc/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowSessionTokenStore.java b/adapters/oidc/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowSessionTokenStore.java
index e578f85bbe..80a71099ff 100755
--- a/adapters/oidc/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowSessionTokenStore.java
+++ b/adapters/oidc/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowSessionTokenStore.java
@@ -83,6 +83,7 @@ public class UndertowSessionTokenStore implements AdapterTokenStore {
         } else {
             log.debug("Account was not active, returning false");
             session.removeAttribute(KeycloakUndertowAccount.class.getName());
+            session.removeAttribute(KeycloakSecurityContext.class.getName());
             session.invalidate(exchange);
             return false;
         }
diff --git a/saml-core/src/main/java/org/keycloak/saml/common/util/TransformerUtil.java b/saml-core/src/main/java/org/keycloak/saml/common/util/TransformerUtil.java
index c8026fd524..372a5dabc7 100755
--- a/saml-core/src/main/java/org/keycloak/saml/common/util/TransformerUtil.java
+++ b/saml-core/src/main/java/org/keycloak/saml/common/util/TransformerUtil.java
@@ -27,6 +27,7 @@ import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 
+import javax.xml.XMLConstants;
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.JAXBElement;
 import javax.xml.bind.util.JAXBSource;
@@ -108,6 +109,19 @@ public class TransformerUtil {
                     SecurityActions.setTCCL(TransformerUtil.class.getClassLoader());
                 }
                 transformerFactory = TransformerFactory.newInstance();
+                try {
+                    transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+                } catch (TransformerConfigurationException ignored) {
+                    // some platforms don't support this.   For example our testsuite pulls Selenium which requires Xalan 2.7.1
+                }
+                try {
+                    transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+
+                    transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+                } catch (Exception ignored) {
+                    // some platforms don't support this.   For example our testsuite pulls Selenium which requires Xalan 2.7.1
+                }
+
             } finally {
                 if (tccl_jaxp) {
                     SecurityActions.setTCCL(prevTCCL);