Enabling encryption causing SAML flow to fail?

Hi there,

We are currently signing SAML assertions where ForgeRock IDC acts as a IDP and configured for remote SP. The flow is working fine until we enable encyption of assertion and attributes.
We are following the ForgeRock backstage Knowledge - ForgeRock BackStage to generate and add secret IDs.
After enabling encyption, when we try to hit the SAML flow URL’s it just shows “Server error: Forgerock server cannot handle this request”. So I thought it might be issue with secret key configuration but when I tried that with default ForgeRock IDC keys still it is failing.
Need help to fix this issue… Thank you in advance


Can you double check your remote SP’s metadata to ensure that they included a key for encryption? With SAML, encryption in an assertion is done by the IDP via the SP’s public key which is provided via the metadata. You are looking for a KeyDescriptor element with either a use attribute with a value of signing or no use attribute on the element. The absence of such data in the SP’s metadata can result in the error you are seeing.

1 Like

Hi there,

I can find keyDescriptor with use=“encryption” with certificate in SP metadata but still we are getting server error 400 bad request, it doesn’t even go to login process or getting SAML response part.
Signing with same certificate is working fine but encryption causing this issue.
Need help in these part.