As a service provider, is there any way to tell the IdP to encrypt their
response and maybe reject the response if it is not encrypted?
We are an SP and work with multiple IdPs and in the decoded SAML message, in
our DEBUG logs, we always get
<saml2:EncryptedAssertion>...</saml2:EncryptedAssertion> except for one IdP
which sends unencrypted data and the decoded SAML message contains
<saml2:Assertion>...</saml2:Assertion> directly. In this case, regardless of
the credentials in my <CredentialResolver>, I can see the attributes being
sent. Is there any way to tell the IdP that we expect them to encrypt the
data being sent?
If you're using the Shibboleth SP, this is more a question for users@, and the answer is no, I don't believe that's ever been included as an option. If you're not using the Shibboleth SP, it's not a topic for any of our lists.