In the application I am working on I have configured SAML SSO with Windows ADFS server, We are exposing our SAML metadata through a metadata endpoint for the ADFS Relying Party Trust configuration. In that FederationMetadata.xml file, we include a signing certificate as well as an encryption certificate. In the Identity provider configuration inside the application, I have set SignAuthnRequest, SignLogoutRequest, and WantAssertionSigned to true. But I have not set WantAssertionEncrypted to true, it is set to false. when I try to authenticate with the AD FS server, the user is able to log in and everything works fine. But when I inspect the SAML Auth Response from the ADFS server it contains the Encrypted Assertion. I am assuming that since ADFS has the encryption certificate it automatically encrypts every SAML Auth Response Assertions. But my question is since I have WantAssertionEncrypted set to false, how can the ComponentSpace.SAML library know that the Assertion is encrypted and it needs to be decrypted using our private key since I have not explicitly said to do so?
Does the Library automatically decrypt the assertion even if it is not specifically configured to do so?
You’re understanding is correct.
If the assertion is encrypted we will decrypt it.
If WantAssertionEncrypted is true and the assertion is not encrypted, this is an error.
If WantAssertionEncrypted is false we will decrypt the assertion if required but it’s not mandatory that the assertion is encrypted.
Thank you for the clarification. 
You’re welcome.