Using wantMessagesSigned with encrypted assertions causes "invalid response"

[Go2ClassPoorYorick]

I have a onelogin application setup with the following configuration:

"security":

"nameIdEncrypted": false,

"authnRequestsSigned": true,

"logoutRequestSigned": true,

"logoutResponseSigned": true, 

"signMetadata": true,

"wantMessagesSigned": true,

"wantAssertionsSigned": true,

"wantNameId": true,

"wantNameIdEncrypted": false,

"wantAssertionsEncrypted": false,

"allowSingleLabelDomains": false,

"wantAttributeStatement": false,

"signatureAlgorithm": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",

"digestAlgorithm": "http://www.w3.org/2001/04/xmlenc#sha256"

That works fine.

However, enabling encryption in my onelogin portal results in an error: "Invalid_response The message of the response is not signed and the SP require it"

This doesn't make sense, as my application can clearly decrypt the request, because disabling "wantMessagesSigned" allows me to log in successfully with encryption enabled.

Has anyone had or solved similar issues? Is signing the message useful when we're encrypted using the x.509 anyways?

[pitbulk]

The flag 'wantAssertionsSigned' will verify that the Assertion inside the SAMLResponse is signed.

If you provide an encrypted Assertion, the toolkit will decrypt it and then confirm that the decrypted assertion is signed.

It seems OneLogin does not sign the assertion when you encrypt it, so you are getting this error.