ADFS Sso And Using Passport-saml Express "No Decryption Key For Encrypted SAML Response"

- 1 answer

I am having this issue while logging ADFS SSO. "No decryption key for encrypted SAML response". Login from another account is being successful. Someone can help me with this. I am using Express with passport-saml work.

This is code snap where I am stuck.

node_modules/passport-saml/lib/passport-saml/saml.js in null. at line 623:15

 if (encryptedAssertions.length == 1) {
  if (!self.options.decryptionPvk)
    throw new Error('No decryption key for encrypted SAML response');
  var encryptedAssertionXml = encryptedAssertions[0].toString();


How encryption works in SAML: identity provider encrypts some elements of the SAML response with service provider's public key. The service provider decrypts using the private key that corresponds to the public key used to encrypt. In other words, the service provider needs to own a keypair - private key and public key - for this use case to work.

The private key of the aforementioned keypair needs to be configured via decryptionPvk parameter in passport-saml. Since the assertion is encrypted yet no private key is found in decryptionPvk, passport-saml complains.

Either remove the encryption on ADFS side or provide the private key to passport-saml.