In Security 5.5, if a response cannot be decrypted due to the response being unsigned, the error message is misleading. The error message should explain that the response is encrypted, but unsigned and because of that, it will not be decrypted.
Comment From: svschouw-bb
I just spent a few hours debugging, only to find out this was the issue.
Comment From: svschouw-bb
Not sure if this is related or should be a new ticket, but I notice that OpenSamlMetadataResolver sets the WantAssertionsSigned to true. I still need to confirm this, but I found at least one StackOverflow comment saying that setting this to true means Identity Providers will sign the assertions instead of the response, leading to this problem.
Comment From: jzheaux
Thanks, @svschouw-bb. I believe you may be right. Will you please file a separate ticket to make so that WantAssertionsSigned is left unset?
Comment From: svschouw-bb
Thanks, @svschouw-bb. I believe you may be right. Will you please file a separate ticket to make so that
WantAssertionsSignedis left unset?
@jzheaux #10844