[SalesForce] SAML Assertion Validator crashing on encrypted assertion

I'm adding support for encrypted assertions to my SAML 2 IDP, and I'm trying to validate them against a number of SPs we work with. Everything looks good at https://www.samltool.com/online_tools.php (successfully validated encrypted assertions via the SAMLResponse validator tool) but things aren't working with Salesforce. And unlike most of the time, I can't get any useful debug info out of the SAML Assertion Validator. It doesn't record anything except the timestamp of failing assertions in history, and if I feed it a SAMLResponse directly, I get an internal server error. It asks me to contact support to provide more information, but that's not possible with a developer account. So I guess this is what I've got available.

Everything works fine without encryption using the HTTP-POST binding. I can just disable encryption in my IDP, and Salesforce happily accepts the assertions.
I am using a self-signed cert generated directly from the "Certificate and Key Management" page in the Salesforce setup, followed by downloading the certificate to add to the configuration in my IDP.
I added that keypair as the "Assertion Decryption Certificate" in the "SAML Single Sign-On Settings" in Salesforce. I noted the change in the ACS URL and updated my IDP to match. And yes, it still accepts unencrypted assertions at the new ACS URL without problems.
I'm using the IDP-initiated flow, sending SAMLResponses that don't correspond to any request.
I'm not sending any RelayState.
When salesforce receives the assertion, it displays the generic "Single Sign-On Error" page.
When I check the SAML Assertion Validator, it shows me nothing about these failing requests in history – unless I also had a recent succeeding (unencrypted) request, in which case it shows me data from the succeeding request, except with the timestamp of the most recent failing request. This reads to me like it logged that a request happened, but not what the assertion it received was.
If I paste the SAMLResponse (base64-encoded or not) into the input validator box on that page and hit the validate button, I get an internal server error.

Here's a sample of a failing SAMLResponse, still base64-encoded:

PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIFZlcnNpb249IjIuMCIgSXNzdWVJbnN0YW50PSIyMDE5LTA1LTAzVDE2OjQwOjU0WiIgSUQ9Il8yNDMyZWI4Mi0xMDI4LTQ4ZjQtODY3MC1lNTU4N2FkYTJiMGYiIERlc3RpbmF0aW9uPSJodHRwczovL2xvZ2luLnNhbGVzZm9yY2UuY29tP3NvPTAwRDJFMDAwMDAxRngxeCZhbXA7c2M9MExFMkUwMDAwMDBUZlBXIj48c2FtbDpJc3N1ZXI+aHR0cDovL2xvY2FsaG9zdDozMDAwL3NhbWwvZWZkOTk0YmItYjc5Ni00ODhiLWFjMDEtMmUyYmVlZTc5ZjFmL21ldGFkYXRhPC9zYW1sOklzc3Vlcj48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpFbmNyeXB0ZWRBc3NlcnRpb24+PEVuY3J5cHRlZERhdGEgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyI+PEVuY3J5cHRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNhZXMyNTYtY2JjIi8+PEtleUluZm8geG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxFbmNyeXB0ZWRLZXkgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZW5jIyIgSWQ9Il9iMTA2OThhYi1kNTA2LTQ0ZDEtYWRjMi1mMjJiY2IzNjQ3YjYiPjxFbmNyeXB0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjcnNhLW9hZXAtbWdmMXAiLz48Q2lwaGVyRGF0YT48Q2lwaGVyVmFsdWU+YUNIOXlOanhGV2N6TFd0WWtOaUxTbVRHaUQ5T1Y5b3FqazlLb0EwVFFGMWtXMFNZc1RwQ3BqT1ZHeW5aODNDcWRZYWxXQnlBTlpxandWWThHNmlHUFVVWHBMMXRUR1UzeGFOWUlmbUtOeEwzZlE4Z2llRjZNRHo2R1BMTkxQdjR5Vy9aa2xMYURpR2F0Z2FMSStsa0tEdThRQkx6QXNtVGVmdGFGK1JUcGdlaUlpNU5OeW5mNFZQVzh2MGpHZHYrQjR4ajJZa0FqR29JSDhZVEtNbGNsTEVJU1JEaTlQMW1ocXdkS2k5ZE9ZS0dMRXhVTyt0K3JSTjYwT1l4SmtDWnliRVo4MERGYWd2M1JEcmFMc2dGYndjM05PQmxCamNXSTF3NWdwK0ZPZUp5VnA1UVFTNjNEbHRuTEZHaDBhN1ZyMkJ2Y3RiQ3ExT1l1RHFpdHZ6ZWFBPT08L0NpcGhlclZhbHVlPjwvQ2lwaGVyRGF0YT48L0VuY3J5cHRlZEtleT48L0tleUluZm8+PENpcGhlckRhdGE+PENpcGhlclZhbHVlPkFLaDBMRVdpKytGM1VhOFdiZmRtN1ZocVloanloSEQwc2FIVlZkME1EQzcwNDRSQVZpNDVyS2gwa3ZFZUJteUN4K2VoZ3ByZmU5MDZMK0pkbjFPcjFwUUxybllhaDl5QzNOVlRSS2Q0WDlQYXZjMWJUL2lnR1d2UHFuTGowVElHM1hOYXRZbHVpL0xIOWRoSUE0UjJqeDREZitOeHc1dHRvTzNBaWpXVWlSdHRpMmplNGZmNFphOXVnVk8rS2EyV2psT0ZqaUx3cCsyQ1FhTGREMEU4L09Za1JrRHZwOUI0SzdjcURIRkIzcmNBejQ0K0F6dEtTVnhPdGVQV2twVlBLdmNqaUJEaHVCczhHaHgzZXF3UlEra0lZMHBJZE03c3hiQWxhTVVHN3RlK3NDdWlOZWU5VWpxZDNwVHYwMnhHYVg0T1lYbXhCaVEyV2tzWU1BR1ZOdGlLVFo0R2JXSW0zcTUzV1VYL2xHL0UzRmdPaHVHVlJaTmFXQWVLUE1NVDBOSC8rampWYm1VMTF3L0ZZMUxra3VTNklUZWxBL0hxckoyU21NVmljNnR5MTJFV2R2Ri9IQkEvWE51TnMwTlpEUzJWNk02QU9OblQxeXZDV3ZOTGxKb2RtNGRSSTk2NmhSMkozYmlzTWRkVEZRUEFsM1gxV21ZejJBRmlYeDBLQzJHU0VPWC9rUG1FdFlOa2RnUHpQUlY5Y2NhS0wxQ1FPanAvZnh6Mk52VUgzVnloNnQ1VHc5cjNMVjFML2tmUGF6UlBXRUpjSDUyTUJ5cGsxL3J4WHhKSkVGcG15R0RIUU5pbHlnVHc3STFpSE4zb2NUK0NKaGhkaTVZcU0wanAvYnozS20xa3ZSUW91U2x6SnFFR0JTYnBUS05mMFFFRzJkN2VFMkcvZ2gxWDREZ0xwVXJUaW9ibjhmcDlXMU1yQnR5RHBoYU9pcnZ3Q0I3Yi9LVmR6ZEhFTDZQWE53Si9pclpSOXF5MDBlNG5SWkY4SndGSGwwQ1JBRkYyU2JqT3NjZ2pEQStzSFZiTGM0R0ZEanRtS2dqRTBqdVRsSVg1M0JBaFFhYTNyN284M2piYmpIczNnUkFlWEg4ZlJKeVFCS1RIOFN5clFYa2I4b1FFcTJiQzJTMFZ6Z0FSbExUaVpDY1dsU214NUVUY3ZYTXdQMzBvTXhqVVJ0VUJwbnZPSlZyRytPNitDYUJxenhsbDdGOGdHbTlMOFhmdFU2c1pWcDZDR09GaGFuWlcwS05SMFp6K3F0eE5BOHNLRjFDdlpBTk1JeWYvNjRDVjRFaTI2Zms1V0p1OUNISDhUNjdvSjloQi83VEY4RnRaUk00RlJzYzBGTW52R0x4Uys1YXpYMmZBZEpXVW9kN1pmdGdsRStkWElFYmRlOHNwenF0c3VYMVNFb3NiME5ZdDJRTHlDSlZaZngwQmJMd1JIczI4VWRyZC83UDlvbWNXVlpKSTRIQ1RTWEgrTDgrY1NIYU9BTW5JR2tlVk4wODkwSE1YL3NtRjc5WTBhSUI3c3NDbEZtRlB2VUlmRHRQNnQ2eG5MQzZGQkNtT0FHcTBmY1BDQkQySlY2bjdZTEw1TkFodXpXdGF6eFFuSGFqWVNZVDEyOStQK09mOCtnbUJTbmkvck9ISk1DSEhydGlQbThjV080aS9rQlJqTzd6MDZCd0N4bVlUVjY1bXpEbERQUkZ3RWRwTXFLb3dtb0xoSzRGTUNGWm1EZEJNSDRCTTg2SWxoVndsdjdnNkk2TWx6RmR6NGxRdlRGdXo0d1AxREJ6dE92OFJVc2o3N0xUY29saEM1YndQMzFOazlHWjF1ZmN2RFN2aFNZOVhUeHdNSW5Sc1hJaWl6a2lzK2tHSmN2R2NnMWN2MFJ2QTJiRmxYSnNPMFpYeldlZmVQeTRNKzVZOCtOdjAxdUFrQkI2Vit0T3p2NmJGVjRicWo5emdvVjU3Z1duNWV4TlBpZnVJRUpDZTgyQVNRQjRDQUNCdU1tWXc2bGZDS0prV3czYUVJYm5SQ3RTSDQ1dUFmZXN1aUNGT2kzRStjdW9hVWxvWkdjbWtBeXJlcVEzNEk1WFhBdGdCVE1uejFwemV6V290Wmt3Z3RnMUlpdXdWZTlCRUM2eVh2dUM2bmkrMGhwWnlwSmVIQ1BuRmk1SDlBcFBLTFlBNnc2c2xrT2tEWVVVK2NVR3JuSUhNUkwxanZCWHhEa29rMjFpRC9zVUU3L1J6OGprTkMvTkkwdFRySU1RNjNGbXFJSFlKWnFGeFMyMlplWDNaemt2cW9sRXFWWnhXbkxKbzY4Vm91VllGa09Hc2paR1ZqeldEMVFXanhzNjA1NHIwUm41di9rb3RVanJHY01KMzNHVHEwSklNaFBtb0g5ajNXMXp4eDE5NUtoNWRheUJPeDBQLzRleVB3Ti9oeTdkb05wbUlQTFpkeEc1SXZ5VXBSUGtidmpUL3E5cjZxQWZCa1VnZzB3NEtQS1pycDVyYkVzSXYxWjRGV0VxamF3UGp0Z0NCZzQ0dlVxdFl4b1JiRUszVEo5V21mRCtkUVVMR295YzFDbFVhT2VhRWNreWtNRnpEamdWRGZhS0ptdXUrcmw4TUw1OWFxZVBCcURzTElpVGtmNEluZE9ZL2svUDkrMHZpR1Q0RDRiMk12M1FZOTEwOXdWL2ZOZWwwbklWVjNiL2Q5KzZKMUtJSjFBaWMwNUw4SytSVjczZkQrNTdja2p4TGpmUG9SaTUvZDh1R0NONUpHUGx3Umc3UGlqUyswa0ZvS1N0OVZYQ0VUTWVtaFZvWHp6VWpWWDE1V3c5R05ldW5KY1FSREFveVI3MzJRUFgvNW96M3l4QWhQZ0o0YVFuNGI3TlJwSXRJL21Ub0hieVNldFNyUWlKRVFKa3BFN0dUcldhTS9OTmdIUVpIVEFoVFZJSjlMdTZqWCsvdGt4MnFqK245NG84cHRCOStid0g3WkMvVWZrZitwR0xUaHYrN3BwN0M0cnpJYXlZOEhMV3ppSDF1TUxPdVhCeU5yY0g1M0dRbFhFTDJrTDNDZlE2OXlZK1RIVHFRNkZyVFBjb1NMRHRyU1duNkpuaFQ4a2dlZlBpUm9FSXVvQkZyVkUvTkJ3eFdZLzEyb2lzNHNtMHRvM2VnVFRHaDI5R3VJeEtTakxCZG82QjZFUlZGWit4ZHFQM3BjY05IVnBmdHVHT1hZb0pqa0ZrRVJIUmJyY1c1b0FNRjZuWFBBTms0U2lydnRGMUg1THBLT2VyWjV3NVUxZFFrcVBWRU12TkJOL29IbVZjTGpMcmJ5amVXQVEyWVZkS1BrL1dkRENoVko5azJJNnFxbVpuK2VrSXcxT2wxTHJpcnNhS1I4amF3alFFTTkzMjcvblNLbzJ1TU02NWZSeDVQR2FadFNlRWVsd0k0bFlvVldlLzg5cGdycm9STU1tNThYTnJxeHMrVmMrNjlGSU82V0ZUOWdVb2gxSGI2QkJiUjdlWlh4V3o2SXh1bmRCSGxheFlub2Rjd29mNFNtRTZLYlBMVVlTYUNnRHRGS2RSWld5S1A2dDI2QnhKTWJCOGlmUllMQjdrelZGbWYrQ1JtRUdTMFA3RWlCaWs5VDYrdmhmV1B5MjRaL3BaVVUwVm1RcEVPY0JENnhZUFdSTXRLYkx4SHdRZUwrbGFybm1ZOWpETzFhUGdCT21kY2d4QXdXZi9XRFkycWFORVhldVpuMndhZktURE9YQVdVdFFzMkcwc2o1ako3bDBOT0V0akJ2MG8yOXMxQUJQNjcxWkowMGtHaFpPdVJYZTNzUS95WkpmZCtGWkx0Tm1RQVlzVkxLMVB1NFN6WUJCZmcybzRrNlRBa1F5Q0o1TURTMTJLYWpBNCtwTVFsZTZ0YU41bU1JMkMrRDNzTktLVjBJVlQ3MFlSWU05NFVUZVhDdGVmTVJvRUh3Wjl1SStRODIvZlAxYXcvTkFEY04wdkR4N0gzZnNWUmcrSkZsN0ZKMzhta0dMcng0dTFCZGVIQ0NvN2NYM3l2NGdFYjFpQVZIdnczaUpPMFFpc2JpL3doazExTzdOWFJIRm45c214Qm5XWWlNTEQxMUIrOE9pby93VE9PdThNYU1iVHNqd251b1cvTllid2ZxN0I5bHFnZ3NRbzE5bzh3d2dGb1ZYSmlrbVM1NmJ5TEk2V1lRZjlCa21Tc3k1ZDc3ak94L0FIUGVZbERnWnZmbWptMFpMSlJLK2ZDcm91TDRONitFL2VubzJCa1pjZ3NVa2lta2xUbUxhRGRpdmVuVThleUd5eVhuUzYrQ09KMmlVT3YwMnpkZnhQNDcvL2VZbVc0cGhxR0FQSlY2MDNOczhyRGlMcFE4UXEwSmg2Y0dzR3l0MnM3amN6STJUdnJQNXRPU2ZiL0xWdXRhME5EOWtBZ1lFLzNZR0ZHNVNBcjFsVDZwZ3lTazlUMHVCUG91ZWVEL1FLV0xtTllyamxMSWF6UnBYREZRM3NWNkdjZ28wT0ExelVETnlvWVhGSXQzbDVERnBsOXVQWFgyVktFK1RQazdHR29YZFJpWVc5ZjBZTEZUQnJ5Uzc3TUYrKzhqbXVaOHdQOGx6b1NwMmFDQWVJWS96NjI5RHlaM2E4Skd0ME1TRnZ5SE5wdlVGWmNDRTh2VDU1RmFsYWE1cW90MWlNVUREOTUzYnRMWnl4ZktxSVVucjdJK2djbTh0azZ4enhMcitDZW5CWjhBYmNsVWVqYmROSnhwc1VlTHZ0YnB4TEdoY2dQdjBJa0lyS0tvZ0J3U1BzY3hVVHluc1lGRnFiV1FOZmtzdkpFem9FMXBOODNTaGs0TUt1ZUxzamdLQ1ppbEtWcklQS3o2TUxqYmo2OENHcFFzaTJtU01rMEM2VnZRSEJHZk5nakJEU2NKbk5JSnAzcExUdm9kaHpMZkMyRDdzb2psZllXblZoMUx2VHp2UEtUL3MzdVNYTUlERDdEVlRFdGlneXRMcXBJNEpNWjNxaTFxYUFtV0ZjajMzT2NkQzJIeHRiRnRSbjN1WHRDMmh2K28rclpPVnZHUzd0bGZQbTBuY3U4aE8yV0F6cmMwMUVXZWNhVE1vek9uOWlWTGZlakVlWXNybGtVam1tV29jUnFJeWl6bVBHUHVLSDVtYTNVVEVrNWpzQ3FxV2k2MnNwTG1YYTh3RlJGNTBJMUxMVlkvZDRPYnNOME5mL3ZwQ1M5dzlaQUcwcEFIQ0xETGlnUVZjV054YnFYVWpxN2tyemhzRnB0ckZMczNES3B3Tm4zM1RscjZ4OUlDang4QUNMajk2bExhb1pUdkNhTmlQS2xzcVJwcXpGK0xhenVTd2FkSW5nbWR4TjVNODU1MTBEVnVibWd5Snh2bzA3VWdlL2VrTVlCTlZ3dFp0dXdNTy9IWkltSEhac2ZaMHFxS1FvOGNzVFVWNC9CaWN4Sm9sd2IzV3BvRXU2dUYvUTVpMGdEL3hxcUxaUW5GVStSMGxScmhNZWhxdHlrbW9rZU41QzJMOTZKVmdhc09UblNzYndqRGFPQmplaXIrQUJTbW1BSHRiK3cwcHFteS9UM2NIMXJrb1RRdFZ2U2szMmJTTFNjUlFOK3lWWVFEZUY4Q0plcjlHbTNYNVRPSlJYeVh3Q2F3SStKSyt4VWRvU2s3SUd3N1Zkb2JuTUxlVzlHY09hK21ORUFxTWNiS2svSHFJK3BQS2RMc1J3OW1xbnZ4cTljcDRTNENUdW14SzlJQzJzY1J5cWlqYURZZHY1cWZHL3RTRWhQS2s4V3ZFRE1ndU01YkZXVDV6RnpudFdFR1g4SEtFWGo2N0RpK09ZZEtuSUQzR3Bqcm4vcWR4VFN6QWg3WkhoMDUvK0YwR3UrYWNieFNtcjcwYk1JSWxvMW95S2VaOE1EeFFueStVdUlFbXZlZnVaM0dBVDNtejJ6ZnloTUtpYWNpbDczMWdTdkZKNWV0cG11V0ZOTmYrdm9QSm5aVnY0WU81aVhHRDM1NGhTNVo3YkdZVjFOa01yaFFiMjdMeEtlTE1zNUNFc0o2UXdJbXlsLzVsblQzMVNuN0JpTDJwdnREWkdmUS9md05mcXNXb3ZhR2gxMjExTWZkQ2MzWDdXVkxLOEVsZzJTL09RUkNwNGlZRm5WY3g3UzRzM2FBU3c0ejg3MFNxNjlxYWtPZllOY2V5Z2s5ajRLQTQ5T3lFYm9LcFc5R1ZRZG4zY3hTcnFBUFFRd0RES3QxcEVoTVFLT0JGL2dMWHY3V2cwQzhoSWlUdG9vaFdONk1EbDMraGlVN09oVHBhRUY2Z0Vvb3JCYU9rUGNqbmpsU3Q0THFiRTVZcG5CYVloTmpRZVIzQT09PC9DaXBoZXJWYWx1ZT48L0NpcGhlckRhdGE+PC9FbmNyeXB0ZWREYXRhPjwvc2FtbDpFbmNyeXB0ZWRBc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4K

Here's the same SAMLResponse decoded and pretty-printed for readability. Once again, this has been pretty-printed for readability. The actual bytes sent are the base64-encoded version above.

<?xml version="1.0"?>
<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" IssueInstant="2019-05-03T16:40:54Z" ID="_2432eb82-1028-48f4-8670-e5587ada2b0f" Destination="https://login.salesforce.com?so=00D2E000001Fx1x&amp;sc=0LE2E000000TfPW">
  <saml:Issuer>http://localhost:3000/saml/efd994bb-b796-488b-ac01-2e2beee79f1f/metadata</saml:Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:EncryptedAssertion>
    <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#">
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#" Id="_b10698ab-d506-44d1-adc2-f22bcb3647b6">
          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
          <CipherData>
            <CipherValue>aCH9yNjxFWczLWtYkNiLSmTGiD9OV9oqjk9KoA0TQF1kW0SYsTpCpjOVGynZ83CqdYalWByANZqjwVY8G6iGPUUXpL1tTGU3xaNYIfmKNxL3fQ8gieF6MDz6GPLNLPv4yW/ZklLaDiGatgaLI+lkKDu8QBLzAsmTeftaF+RTpgeiIi5NNynf4VPW8v0jGdv+B4xj2YkAjGoIH8YTKMlclLEISRDi9P1mhqwdKi9dOYKGLExUO+t+rRN60OYxJkCZybEZ80DFagv3RDraLsgFbwc3NOBlBjcWI1w5gp+FOeJyVp5QQS63DltnLFGh0a7Vr2BvctbCq1OYuDqitvzeaA==</CipherValue>
          </CipherData>
        </EncryptedKey>
      </KeyInfo>
      <CipherData>
        <CipherValue>AKh0LEWi++F3Ua8Wbfdm7VhqYhjyhHD0saHVVd0MDC7044RAVi45rKh0kvEeBmyCx+ehgprfe906L+Jdn1Or1pQLrnYah9yC3NVTRKd4X9Pavc1bT/igGWvPqnLj0TIG3XNatYlui/LH9dhIA4R2jx4Df+Nxw5ttoO3AijWUiRtti2je4ff4Za9ugVO+Ka2WjlOFjiLwp+2CQaLdD0E8/OYkRkDvp9B4K7cqDHFB3rcAz44+AztKSVxOtePWkpVPKvcjiBDhuBs8Ghx3eqwRQ+kIY0pIdM7sxbAlaMUG7te+sCuiNee9Ujqd3pTv02xGaX4OYXmxBiQ2WksYMAGVNtiKTZ4GbWIm3q53WUX/lG/E3FgOhuGVRZNaWAeKPMMT0NH/+jjVbmU11w/FY1LkkuS6ITelA/HqrJ2SmMVic6ty12EWdvF/HBA/XNuNs0NZDS2V6M6AONnT1yvCWvNLlJodm4dRI966hR2J3bisMddTFQPAl3X1WmYz2AFiXx0KC2GSEOX/kPmEtYNkdgPzPRV9ccaKL1CQOjp/fxz2NvUH3Vyh6t5Tw9r3LV1L/kfPazRPWEJcH52MBypk1/rxXxJJEFpmyGDHQNilygTw7I1iHN3ocT+CJhhdi5YqM0jp/bz3Km1kvRQouSlzJqEGBSbpTKNf0QEG2d7eE2G/gh1X4DgLpUrTiobn8fp9W1MrBtyDphaOirvwCB7b/KVdzdHEL6PXNwJ/irZR9qy00e4nRZF8JwFHl0CRAFF2SbjOscgjDA+sHVbLc4GFDjtmKgjE0juTlIX53BAhQaa3r7o83jbbjHs3gRAeXH8fRJyQBKTH8SyrQXkb8oQEq2bC2S0VzgARlLTiZCcWlSmx5ETcvXMwP30oMxjURtUBpnvOJVrG+O6+CaBqzxll7F8gGm9L8XftU6sZVp6CGOFhanZW0KNR0Zz+qtxNA8sKF1CvZANMIyf/64CV4Ei26fk5WJu9CHH8T67oJ9hB/7TF8FtZRM4FRsc0FMnvGLxS+5azX2fAdJWUod7ZftglE+dXIEbde8spzqtsuX1SEosb0NYt2QLyCJVZfx0BbLwRHs28Udrd/7P9omcWVZJI4HCTSXH+L8+cSHaOAMnIGkeVN0890HMX/smF79Y0aIB7ssClFmFPvUIfDtP6t6xnLC6FBCmOAGq0fcPCBD2JV6n7YLL5NAhuzWtazxQnHajYSYT129+P+Of8+gmBSni/rOHJMCHHrtiPm8cWO4i/kBRjO7z06BwCxmYTV65mzDlDPRFwEdpMqKowmoLhK4FMCFZmDdBMH4BM86IlhVwlv7g6I6MlzFdz4lQvTFuz4wP1DBztOv8RUsj77LTcolhC5bwP31Nk9GZ1ufcvDSvhSY9XTxwMInRsXIiizkis+kGJcvGcg1cv0RvA2bFlXJsO0ZXzWefePy4M+5Y8+Nv01uAkBB6V+tOzv6bFV4bqj9zgoV57gWn5exNPifuIEJCe82ASQB4CACBuMmYw6lfCKJkWw3aEIbnRCtSH45uAfesuiCFOi3E+cuoaUloZGcmkAyreqQ34I5XXAtgBTMnz1pzezWotZkwgtg1IiuwVe9BEC6yXvuC6ni+0hpZypJeHCPnFi5H9ApPKLYA6w6slkOkDYUU+cUGrnIHMRL1jvBXxDkok21iD/sUE7/Rz8jkNC/NI0tTrIMQ63FmqIHYJZqFxS22ZeX3ZzkvqolEqVZxWnLJo68VouVYFkOGsjZGVjzWD1QWjxs6054r0Rn5v/kotUjrGcMJ33GTq0JIMhPmoH9j3W1zxx195Kh5dayBOx0P/4eyPwN/hy7doNpmIPLZdxG5IvyUpRPkbvjT/q9r6qAfBkUgg0w4KPKZrp5rbEsIv1Z4FWEqjawPjtgCBg44vUqtYxoRbEK3TJ9WmfD+dQULGoyc1ClUaOeaEckykMFzDjgVDfaKJmuu+rl8ML59aqePBqDsLIiTkf4IndOY/k/P9+0viGT4D4b2Mv3QY9109wV/fNel0nIVV3b/d9+6J1KIJ1Aic05L8K+RV73fD+57ckjxLjfPoRi5/d8uGCN5JGPlwRg7PijS+0kFoKSt9VXCETMemhVoXzzUjVX15Ww9GNeunJcQRDAoyR732QPX/5oz3yxAhPgJ4aQn4b7NRpItI/mToHbySetSrQiJEQJkpE7GTrWaM/NNgHQZHTAhTVIJ9Lu6jX+/tkx2qj+n94o8ptB9+bwH7ZC/Ufkf+pGLThv+7pp7C4rzIayY8HLWziH1uMLOuXByNrcH53GQlXEL2kL3CfQ69yY+THTqQ6FrTPcoSLDtrSWn6JnhT8kgefPiRoEIuoBFrVE/NBwxWY/12ois4sm0to3egTTGh29GuIxKSjLBdo6B6ERVFZ+xdqP3pccNHVpftuGOXYoJjkFkERHRbrcW5oAMF6nXPANk4SirvtF1H5LpKOerZ5w5U1dQkqPVEMvNBN/oHmVcLjLrbyjeWAQ2YVdKPk/WdDChVJ9k2I6qqmZn+ekIw1Ol1LrirsaKR8jawjQEM9327/nSKo2uMM65fRx5PGaZtSeEelwI4lYoVWe/89pgrroRMMm58XNrqxs+Vc+69FIO6WFT9gUoh1Hb6BBbR7eZXxWz6IxundBHlaxYnodcwof4SmE6KbPLUYSaCgDtFKdRZWyKP6t26BxJMbB8ifRYLB7kzVFmf+CRmEGS0P7EiBik9T6+vhfWPy24Z/pZUU0VmQpEOcBD6xYPWRMtKbLxHwQeL+larnmY9jDO1aPgBOmdcgxAwWf/WDY2qaNEXeuZn2wafKTDOXAWUtQs2G0sj5jJ7l0NOEtjBv0o29s1ABP671ZJ00kGhZOuRXe3sQ/yZJfd+FZLtNmQAYsVLK1Pu4SzYBBfg2o4k6TAkQyCJ5MDS12KajA4+pMQle6taN5mMI2C+D3sNKKV0IVT70YRYM94UTeXCtefMRoEHwZ9uI+Q82/fP1aw/NADcN0vDx7H3fsVRg+JFl7FJ38mkGLrx4u1BdeHCCo7cX3yv4gEb1iAVHvw3iJO0Qisbi/whk11O7NXRHFn9smxBnWYiMLD11B+8Oio/wTOOu8MaMbTsjwnuoW/NYbwfq7B9lqggsQo19o8wwgFoVXJikmS56byLI6WYQf9BkmSsy5d77jOx/AHPeYlDgZvfmjm0ZLJRK+fCrouL4N6+E/eno2BkZcgsUkimklTmLaDdivenU8eyGyyXnS6+COJ2iUOv02zdfxP47//eYmW4phqGAPJV603Ns8rDiLpQ8Qq0Jh6cGsGyt2s7jczI2TvrP5tOSfb/LVuta0ND9kAgYE/3YGFG5SAr1lT6pgySk9T0uBPoueeD/QKWLmNYrjlLIazRpXDFQ3sV6Gcgo0OA1zUDNyoYXFIt3l5DFpl9uPXX2VKE+TPk7GGoXdRiYW9f0YLFTBryS77MF++8jmuZ8wP8lzoSp2aCAeIY/z629DyZ3a8JGt0MSFvyHNpvUFZcCE8vT55Falaa5qot1iMUDD953btLZyxfKqIUnr7I+gcm8tk6xzxLr+CenBZ8AbclUejbdNJxpsUeLvtbpxLGhcgPv0IkIrKKogBwSPscxUTynsYFFqbWQNfksvJEzoE1pN83Shk4MKueLsjgKCZilKVrIPKz6MLjbj68CGpQsi2mSMk0C6VvQHBGfNgjBDScJnNIJp3pLTvodhzLfC2D7sojlfYWnVh1LvTzvPKT/s3uSXMIDD7DVTEtigytLqpI4JMZ3qi1qaAmWFcj33OcdC2HxtbFtRn3uXtC2hv+o+rZOVvGS7tlfPm0ncu8hO2WAzrc01EWecaTMozOn9iVLfejEeYsrlkUjmmWocRqIyizmPGPuKH5ma3UTEk5jsCqqWi62spLmXa8wFRF50I1LLVY/d4ObsN0Nf/vpCS9w9ZAG0pAHCLDLigQVcWNxbqXUjq7krzhsFptrFLs3DKpwNn33Tlr6x9ICjx8ACLj96lLaoZTvCaNiPKlsqRpqzF+LazuSwadIngmdxN5M85510DVubmgyJxvo07Uge/ekMYBNVwtZtuwMO/HZImHHZsfZ0qqKQo8csTUV4/BicxJolwb3WpoEu6uF/Q5i0gD/xqqLZQnFU+R0lRrhMehqtykmokeN5C2L96JVgasOTnSsbwjDaOBjeir+ABSmmAHtb+w0pqmy/T3cH1rkoTQtVvSk32bSLScRQN+yVYQDeF8CJer9Gm3X5TOJRXyXwCawI+JK+xUdoSk7IGw7VdobnMLeW9GcOa+mNEAqMcbKk/HqI+pPKdLsRw9mqnvxq9cp4S4CTumxK9IC2scRyqijaDYdv5qfG/tSEhPKk8WvEDMguM5bFWT5zFzntWEGX8HKEXj67Di+OYdKnID3Gpjrn/qdxTSzAh7ZHh05/+F0Gu+acbxSmr70bMIIlo1oyKeZ8MDxQny+UuIEmvefuZ3GAT3mz2zfyhMKiacil731gSvFJ5etpmuWFNNf+voPJnZVv4YO5iXGD354hS5Z7bGYV1NkMrhQb27LxKeLMs5CEsJ6QwImyl/5lnT31Sn7BiL2pvtDZGfQ/fwNfqsWovaGh1211MfdCc3X7WVLK8Elg2S/OQRCp4iYFnVcx7S4s3aASw4z870Sq69qakOfYNceygk9j4KA49OyEboKpW9GVQdn3cxSrqAPQQwDDKt1pEhMQKOBF/gLXv7Wg0C8hIiTtoohWN6MDl3+hiU7OhTpaEF6gEoorBaOkPcjnjlSt4LqbE5YpnBaYhNjQeR3A==</CipherValue>
      </CipherData>
    </EncryptedData>
  </saml:EncryptedAssertion>
</samlp:Response>

Given that the encrypted assertions I generate are accepted by the samltool.com online validator (and I've done a test decrypt myself, everything looked right), I'm guessing that the problem is in the KeyInfo section. I'm guessing Salesforce wants some indicator what certificate was used to encrypt the assertion, and is blowing up without it, even though the config explicitly says what keypair to use to decrypt encrypted assertions.

Whether that's right or not, I'm clearly missing something salesforce is expecting to be present in an EncryptedAssertion. (Just because it's valid by the schema doesn't mean it'll be accepted, of course. But crashing the validator tool gives me almost nothing to work with to fix the problem.)

Is there any way I can get in touch with a Salesforce technical person to report the internal server errors and nudge them to upgrade their SAML assertion validator so that it reports useful information instead of crashing in this case?

And more directly, does anyone either know what the problem is, or have an example of an encrypted assertion that Salesforce accepts that I can base further experiments on?

Best Answer

There are examples of encrypted assertions Salesforce wants as an SP in https://help.salesforce.com/articleView?id=sso_saml_assertion_examples.htm&type=5

When I try your response with SAML Validator in my Dev Ed org, it doesn't blow up. I get the expected "Unable to parse the response" with "Data encryption key may not be null" as a more specific error message. The latter message makes sense - it doesn't know how to resolve the wrapped key since I don't have your keypair and SAML Validator doesn't know what IdP config/metadata to use.

Here's the encrypted response that Salesforce emits as an IdP


<?xml version="1.0"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="..." ID="_29ae1f1f3533f532b16dd6441226baa91557114849567" IssueInstant="2019-05-06T03:54:09.567Z" Version="2.0">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://blah.my.salesforce.com</saml:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#_29ae1f1f3533f532b16dd6441226baa91557114849567">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml samlp xenc"/>
          </ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>N3EWufNWXbpY1NDWRk8M4sfv+NM=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>...</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>....</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:EncryptedAssertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_6abe53cbeed22854b456ced0867305f2" Type="http://www.w3.org/2001/04/xmlenc#Element">
      <xenc:EncryptionMethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:RetrievalMethod Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey" URI="#_87fcbe553f29ac429e5133904115d774"/>
      </ds:KeyInfo>
      <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
        <xenc:CipherValue>...</xenc:CipherValue>
      </xenc:CipherData>
    </xenc:EncryptedData>
    <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="_87fcbe553f29ac429e5133904115d774">
      <xenc:EncryptionMethod xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
        <ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      </xenc:EncryptionMethod>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:KeyValue>
          <ds:RSAKeyValue>
            <ds:Modulus>...</ds:Modulus>
            <ds:Exponent>AQAB</ds:Exponent>
          </ds:RSAKeyValue>
        </ds:KeyValue>
      </ds:KeyInfo>
      <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
        <xenc:CipherValue>...</xenc:CipherValue>
      </xenc:CipherData>
      <xenc:ReferenceList>
        <xenc:DataReference URI="#_6abe53cbeed22854b456ced0867305f2"/>
      </xenc:ReferenceList>
    </xenc:EncryptedKey>
  </saml:EncryptedAssertion>
</samlp:Response>

Note the decryption key (EncryptedKey element) alongside rather than within the encrypted data (EncryptedData element) and the public key embedded inside the decryption key. From a spec perspective having decryption key inside EncryptedData as shown in your example is also valid and there should be no need to transmit the public key...but if you can change your response to mimic SF IdP, it might be worth a shot.

If you can't get it to work, post your question to Salesforce Identity group on SF-managed communities:

https://success.salesforce.com/_ui/core/chatter/groups/GroupProfilePage?g=0F9300000001q1N

Best Answer

Related Solutions

[SalesForce] Salesforce as IdP with ADFS 2.0

[SalesForce] Google SAML Error

Related Topic