Skip to content
English
Contact Support
  • There are no suggestions because the search field is empty.

SSO Troubleshooting: The SAML assertion could not be decrypted

Learn how to troubleshoot this error. 

Error

If during SSO you may see this message when the user attempts to log in:

The SAML assertion could not be decrypted. Verify that certificates are valid.

Explanation

This message occurs when a X.509 certificate is invalid, or if the there is a certificate mismatch between the identity provider and Foundry. Note that this error is likely to happen only if the IDP encrypts their SAML assertions (which is generally recommended).

In SAML, there are two public X.509 certificates: one for the Identity Provider organization and one for the Service Provider organization; in a SAML implementation, each organization’s system “knows” the other’s X.509 certificate. In the identity management system of the client, in the configuration for the EVERFI service provider, that configuration will normally store the EVERFI public X.509 certificate. In Foundry, in the IDP configuration, the IDP’s certificate (or at least the fingerprint of the certificate) is stored, as well as a pointer to which specific EVERFI public X.509 certificate the identity provider is using; this model allows for EVERFI to rotate its own X.509 certificates between an older certificate and a newer one with a later expiration date.

If the certificates between the IDP and the SP are out of sync, then when SAML assertions are sent and received and then decrypted, an error will occur because of the certificate mismatch between the two systems. When this occurs, you will see the “The SAML assertion could not be decrypted” error message. This could happen if the X.509 certificates for the partner is out of sync, or if the X.509 certificates for EVERFI are out of sync; either situation could cause this error to happen.

When this problem can occur

Generally, this problem will not occur in a stable environment. This will occur only if someone changes the EVERFI X.509 certificate in the IDP without also updating the Foundry IDP configuration to designate the IdP is using the same EVERFI X.509 certificate, or if someone updates the Foundry IDP configuration with the wrong X.509 certificate of the partner organization.

Or, the error could happen if the X.509 certificate is not formatted properly.

How to Solve This Error

Ensure the X.509 certificates are in sync across both systems.
Ensure the X.509 certificate entered in the Foundry IDP for the identity provider is formatted correctly.

Technical background

This error occurs when either of the following exceptions occur in Foundry when attempting to decrypt an encrypted SAML assertion:
OpenSSL::X509::CertificateError
OpenSSL::PKey::RSAError