Unable to decrypt SAML assertion

Hi - I’m getting the following error when trying to perform SAML login with Okta as IdP when enabling the “WantsAssertionsEncrypted” option:

System.ArgumentNullException: Value cannot be null. (Parameter ‘key’)

On the Okta side, I uploaded the *.pem and on my app side, I’m providing the X509 cert as part of the GetLocalServiceProviderEncryptionCertificatesAsync implementation. To note, my app using SAML for SSO against IdPs like Okta and many others works fine for many years. We’re in the process of trying to add Assertion Encryption support and have run into this issue. Any ideas?

Debug Trace below

Thanks!

Mike Oliver

ComponentSpace.Saml2.SamlProvider: Debug: XML signature verified: True
ComponentSpace.Saml2.SamlServiceProvider: Debug: The SAML response signature verified.
ComponentSpace.Saml2.SamlServiceProvider: Debug: The SAML response status is success.
ComponentSpace.Saml2.SamlServiceProvider: Debug: Decrypting the SAML assertion.
ComponentSpace.Saml2.SamlServiceProvider: Debug: Decryption certificate subject: CN=MYHOSTNAME, serial number: 5F16C65337C4479441A64E70DCD1AA71, thumbprint: 66AEC696AD73CE73B293FC2AC3C6FA1756E2FA57
ComponentSpace.Saml2.SamlProvider: Debug: Decrypting XML: <xenc:EncryptedData Id=“_d055bff9db530aa4a068e0639521b497” Type=“XML Encryption Syntax and Processing” xmlns:xenc=“XML Encryption Syntax and Processing”><xenc:EncryptionMethod Algorithm=“XML Encryption Syntax and Processing” xmlns:xenc=“XML Encryption Syntax and Processing” /><ds:KeyInfo xmlns:ds=“XML-Signature Syntax and Processing”><ds:RetrievalMethod Type=“XML Encryption Syntax and Processing” URI=“#_c112b911289a0258081c9899d47de8c4” /></ds:KeyInfo><xenc:CipherData xmlns:xenc=“XML Encryption Syntax and Processing”>xenc:CipherValuehGJ1XGRyewZl0lGgvFnKwj8mGm7iCtI9mFGsYuENrsdOCskxzFCgwhd8zGiVbsA5wmASQq4W017DtQGNXAKO+H6HjqLHz+xzLj39Z9K5YKvySMVOOZX0xi+VwwulKIKUfX8R2eL09aCftwCCteSqcEX1rjCM6vizSe2KsE7FkT6u2WkPxsgo/a8uY5l/RiGsSOMV/X1wuATYLDfLh5YCEhLl5GGiZbP+4TWqFfZxxpR4MwunVMtJshlFNg+CWQZzhnCzhcvKkW9RFlLk072mfzQHUTxwsygAMnaYnsthitcRB7pgsX4HWES30l/wK3kg5iMH08SsCyND3dkHn/Jpa2DzhopA2DRwwwcYoq4RFhGq3p6QjILbh4fIRDx4WBBkbM8zWFWGd2SxuaAQBT6lCrtjeQxdv75SNgvqlEa06iLaJ/jJeIP7sVvmsuRRNcCYlPBU2t8STey0CuYmDYoG3m26vdXTEEQPKvw8unx6Jk6CpC1r7lRKsQ7bypHwxazsQuqaVHvMYhoyBxDfAqz66UNbHDkjb+9sTf2qM+MUjsaUaYQ6Nz9Cinyp89Wh8VDu+qMNKb4axKJev5iDVagM6/+EKkxHkcOgHj6OWRWAO0gMqMnJ+m5T2m8msIKgtTad2xwu0CuO3e6cOu1AWIt30XjyXI/D7Nu3pHpvOZ+LFBaCsvSEyX44WrMelZhkLYfWJAWi2ESSURxc1NRSARJxqE1p+BMcmC3DwD+2yOrtoOhtySUR0OjyibHmq1OwxfeL9QFzpfY7jA4XzfaIQtYRN8L1g47DswySAGB6skrvd7zBtHS0MIRcQAvebQ6hNGJqd467ciJrGXDPgFZzbh5k3jbFG4BlYDD3hLsodMzCC+OndMSc1zDF5JyBUWBC5huvcAGiEMo9itiyfdUPhLgJEH+jg+/8eCnZIDP8+TbilcTzgBCkJG/AyZwQ9XzmPF0QUhEsI0UCm2EBKkRSn9DxeVkHGr//zXI6faa5r99PU7F6JOZ9Ay3FGKH7mJvtskumMkUiz9T+xGGBqifEbH5a8Lrgoi9wnjT0eByhygYdAwfHEvlLOvA/emWQ5SaKvJIavYAmYQQNb1To/zR33eICAbYLTdnWcCgM8z+e+FffPlcYFW77xsOwObdaUTZEz0HymwzReWCz/P4PVvU95dXxT3Y9JfOSlWMqe1qyTrGF7HPPv1bjCzyYrVFSRWxr3mj/ZK9U2gxSm9XKeKYloIMukXjGJk0w5p68DNrrUYs/Fjn0I22kEDm5UW4/OYuefwpT0kqu1xjMaReEhF9OjcJz0fYAamsRg26pdQsfUK1nKZH/AA5t2gF4g4lEYrGA64h1wd1VcH8eqsiCnB+jhvCf4soF6xYwrd2Iirv9N3lhpv9lnm3c5/zcorql8QvnkRBTFKqmc/sHfIhreMQzedkj6qSUAcr5g/8ZRNikvXl2D035lB5X2NxUUswKz0tGWn5CVWORpnQ7wDdfyAMcKLheHh10l1UPfqbdkeqynpzAtCaP+BhCi8tXBjC2cDsNjBWX1U5aQqygH7/o9FtvRcEXxdVsAGMyZ0S3SRYMhJ9eI1DdyJRJZZdAydrcmgCf+DmLEgRyTUgaH/KmHHxNERoPPq12PPNCC6kiPLF34q1mV0cJxoCEVigM53Q6w+2f4aE5C4TqabtN+VmXzkkC0joHi05j9vJGko5dhECOSVOmi/Bmzg9zzAXWeDvCKe5ll/o2oL2Q8wAvnounR7lxl3+cJGueyw015LbsTW66jhB6F+RzZpS+U95v42nv6iT7AN/AF8XzTFnEK/xS9eq9lvD5ziDJ8/qyep395dVvnRgqGVA08pIZ6J8SJ5vDKhxMZncRgBVOfVBoSKJxoZ4FRVu86IT0l2yeVDmO88PAMPU7avM2stmotXHhI4AP6HcU+PO9FN1azMfcEQt8+qN2YXZXMn6txZoqsHmgQu7ZWaUqqJyYju6YTMs0L1K4ged4sSVC2a3XgY87SPvizTt/himuB5PMOQDABX91h69KOYgdUZnGsjNmTYZTo+UiyR7a0A7OQfjDLUJbGqyqcbOvTrfKDqcf6B0IPqy48W2BhGLuU2LdxgTO2U6CQ7K/IYQfmjoSjnHugMDIiWmOjDDKGSYC62hsx+5IDISJIiCjyiypRVD42h5re0CngDof8CuTqMYgezjrPIXuXehrJbkI1m6VCxxrsMdS3jbktPp+pNy1EWIaAOUlLYU/REDEGy2h21fcCFfqcTLB13sY8zyV6I+GqM1nGqHssUEF4eRyn7k9ZJdzjHcDtLOSZJhONUkrIzOg6p5HuHNWd1hC5jEEFxpdubedW3VTsSALqq6G49sO+/Rzyc/htQBJV3k0+Pgg0xJIt6CbjgZHnZE2viK/CGAhl06YI2bSfQ7VkviVJYjQ1tca4buhTyXq7MzGpCtjH8nm7ZGrDw+MWk7rX2uh3JlSR2AVwsml0xfDeXx5FMIbZ0pBdUE0dl3Q1RhFlECxR3ucwViEa2QjqDFz+/pONCgYz6zY1ETDZGBh28A6jPxqU5hhdVsbAZORvtUGctPV/HlT609qkYkLhb7fviEvVSuMFAfaUPYHgzicBMyrriwbAc8g2DRNzK+eTVcgl24TrdmrAaUNBMreI5AZeO7F3pa06PaY0uRH3w0V9dffwCzvjAyPH/G8Rena4yH+qyutUnTv40amLV4NV6GGHiQYImMLy5vVdYtAxT/ruA2uEQaEbq0oQJ+OBEhc8KnaZS5qM9F3GyF0qVAvu3+hZGKd9/9O3Wjy3BbLCeJcA4tBalX/V39d7hS/0euwG5Mnz6jaf5f+VETBDwPGPdHtz/YqNeSpMK4oZoP62nAOQStKIZn8pTYJS3Hr+7GvOH4k/IkxZCvwShwROK8niaumMKvhgcD23YV5S2W4i4R2mAnM0JPf7Pw8CYDVZwyOdH7maD8sC2jTe722NowL6AIYwS/MNOdbel7M6FmW25Gyaq5UOYIsAKM2GUIFEZszw8ImyOiiv1YsueVysCoatPhK7IRnHRXeSUff1NzcQavel2H33K1oQv5HOPBAalM83+C3+vIcWqjNCQoZjspshbmbmqcHFCQjFnra7zh5EYIfQdPlHifPh28kTVHmGiq3mJfBKZOKQU9lwtjgExeAuBbNmjFz4zpOKnScBz96h8aUdAvFwLuVuOvXNDgit2kXoXakSyLj5H6MLY2jVw0bcrNvwdxjjJTkVjUaD2EsiHCyXoiz9RrwSxWHr8urUowiwrQn9CA4Hg4DOzupdfhgtGgkD6yn/E7REf4vcMwjy/b/kYox9uJ7sh8lWDFSjhA0IoYGBEnt4nE4HkqW/IvvO1RIBybEqzAM+m3aGKg7EsYZ/gzYlOKXMxT48r/cAxAdMRbRLMcmCtKp5KvHaLxzz6AdWiV9SoWa6Qzh0PFLF4MtUJjTzJUlz9OWjSNWGOD+HvCsWVeUmwQly4zubykLRZl59lcnY2mde7Vc1q0Ik6us+8s67k1naFukZNpr871YHDwusSM7Iy8x9+bNkFSMpz4r3EpN0lrygnGSiq/vMEBEKe9qq76R7T2NXrQw5RMp31FyjxPenRmF8iT2NPUkl3BGtcATvKjpRtqVf4lmuCwF2PqnE8o6vvt9HES7FX+hsJ3HYf1Nh9g5+XuBO1IV4+Y2ddzo+n3FO/iRe1qt+SyZPXdXGVK/rZ1r38P/EiP8sRGKEMDMJ9qnUzraZYnxQhBcoNlTO4mHg2+08VSTVao/7vroFk1UcjBxZsKmfFMliBsRv7sJtSUFdrBq81BLY7dNKwEgYSnYO41qXkUfK3NhPnToCnGSLCTOYBisC+760vnTHODK6gLgZP4VYXBLOq+KSTOx4tUNIgfR0VS7L075LZ/jrBj5fpDOs1FtdhDSDrmtCn2/Uzuo/BKUe3zQvrd5W4Zl+7VhZDgtq9Lm7ng7k9XATtu3vy+o2XIFXfj6FvofGDd7CUB+NvR6UXr0dJLw1bxgS4/NSSLCTpb475OJ6bRAFSXlJzXHfT9d/PaGYh2tNkoiIrR7gFqO2obnenkXH0b9tHk/CGWNv+YMviD3FQVQMuxWd0oU7iACEr0qOiuTUpITEIUHrZBcxDqseu6BV/tseeGkWGCdoQHs2AgONyN9Y7Yy5PdOMS0D8clvD/bhMtj0z1DTomVc8/4MK0xWPtx5WoMj8D7H+5gq8bjC1gv6kwfiFbhx+xopZ0gkzmk6ImuAH6PSVIn06PDEXGBLkdSXkVm7PfL4lges3R/JhKeUwVSLuswriyBx71/TcAtrajOWBWYrrppQ+HeaXIPdThKre+kOnkLtUK961zf9zttiiMJ5ju3jtbp5Ur2ZSdo2JRpI9hRBvTVg6MQ6oEjxR/ll+3yK7BNcV95k+F/BJjg0N1xlAhaQA+QJUtthRVW/E0rtg4JY6UAdSRxCBfpsU8MEjyHnE3jRr5lCOA8qma5FToqAe7/wzHnHEMkTOh9yY1Jsp3hVg0wOm9YHHtD+/1vPPEDxOF5Bqc/6HuDlf8tTWs+nxilFx2GXjFOPkqAnBKeobDiGRk99uHsOd/LA+OeW6RI7vz2p0VtNGFIDEXLanQ1SQHbSqN2W/l2Y1rcPc8rB21KfNEuvXb2Ql9F/kjqiwOT4TedyASFfnL3/sbIBGIeMLwCDFP2akV7lXPYFJ0dYb7PlfDXTmJbLVJ6VWHMY67eTJgjo8HgVK+3dtvsqNzSA+ILXNZyi6Du4t5oSm/WQcmTXDZOwafOZWzKJpiFVivnWpeaaqmiXcVrpnaGtTTuW0cI6IQz6/DVdbUpB1yikKy5dpiJ3U60q9DT83siK0coYyQjjTVUdHH9fp/ljr2Yh4ciaom4apHLFq8E/HUPkqyOgeKkTF0ng0OUzI6jWo14dcqHL5ZV+dIyNvi6V6n+KICnfGlV2cF1NGtXChiTd8AE+fG218YF/aH/ETvzVJQLSeQez9VeBTuEKMDOivs/QTaTM70MHLgzPXhob85ODJqMS3O1SNraAvYmsNnv32uu6gq/NA3RTjFXMUSUKXieYmEyxr03xO11y2Hj7vFVjdkBiwnvqTU/mRWIWv5HgHzUrF667aQlXJGL+gnjh1wzAHEzgs6LbA6SBiM+cFHpmvRE4CvmIm3wvtjmz9IT2UjTY8MaV6f4GVjtw1VILw5v+6VUzSfLAVU09lG02ccA4t5W/4gWo+frZpXtmUMIN7jiBdCcogokRP4+dRRxPx8cYLw82hGFMWowWokYvCup/gpI//JETa222elor94Ta+oEUKxUpsFqPkgU6V60rbTiHSoeIpt8TeYBVonvVUMF8GIyiA+2G90jnsYe+8VQdR7hDFdJU0wd9jJjqdVZL+1TmFqg7SM7IpQsl6DphUcnwbmkbH0tIU/qfilKXTW57O8cLRo5b/RBlQNmbLihBQsBiE0zE1+PHs7UEomo5tnN+EjsT1LIjrFompoNwv75W3wGXAfI9QMDep967R+/l6/YVODt7ZbSJjSBG7m9QAoA+++SLTJJnjZQRm7v9ku+gZeBEhzwUgHqPN65HmCRJ7nAfHabTrrONFFVv4W6ijVnd/My41aEZBiAzJ+/uHLg4y/rI9wEst2hKxSLFruhF3PtHkpWC6POTQkai+IwztKsNvlSIjofmJfG9Jsb1WJTVH/KkY7RdbLMmHyZIZ4frvYKeTJSgzL0LZs4iY+52Brb4vlJOho+zuf0qYLxiYwfSchtdI08mDxOG/wWFCJ85qnDNXd8+cEfLPiMndjzCtpQglexH9MCZZsF1snfYRv1q16BHUIul2VVi6NZqm7Wsyq0wRhrrVFB8Q1ZSADXM5hB/nIn5/n2nQMDnbz3N77WqosFvD4WcP1Hk+AwreWIolniGTdQepzKXciy5q1ksRRLE5ZtF59pIuov0H+MVS3P5yAW+HekAxQr//rpfkXBHeEQ42EZbr8wlyTCHTF8lYqnZzZwqZxcMVDfoUF088D6p6EaZuyz4GMW/kF4b2081d8be+Cl+tYzaE2KoJMiNhGm7jwcxXSvxGTRPBSN5AokRSgFFUoSOT1Yfg40vhIqmgLS63DMff/Zc9y2BSip1cYeq0BX/8xYBC2R9tXECufZVx2MwuNp+ZhOdHGvS+EIwX2nGNUulAIfgAaltDR1LUrAzVgW+rzo5V0yD+z1rU2N9WYBDMHxjb34hCOdZat7XJahGowcrT76PgTU60QEPWiZcm5F29mavuuKNfQJir0nErQ3WKSF0Ydnunqs8CHpWo6b7SBdzPL9Oy3bpLKCVU2oYHDvDZwTt+ew+WLXD4R9mWb4RMzWOJo0+yoz7zGpHDQIz8O3NBi2PrIzKqZjVweWudCSvq7x9fOAQVFHo1zgHCzYF3JnykNISXyi4apKUFpq83y3+jsfcDhQQejdrD2zdePyhGJtLY7CteJ2IdWmAaFSP4cYLRDcgSO07pdQnmeoX+KjksSau50AHLMtT2rqYjshCWXn9n022BgeBTnm5jZYz989Xh8BfBmWYLkLhvNE+PftXwTB9iHecPEcZM5IIzXNFcTK+HV7bRe/XqBzdSGRUdR03n1Q2CM6lSTuIJomMU6OrX0tENO1cKRRlJnuXEzXrom4AUzpuBgKHIIi7WA8LCRLHLRKvNwLCI5/47kfj3axFTS4xYqAs0sm8vT8Orj7Lo8ajfcXIk6PxbeqfFiLgZxaqkfuWpn6xoXEe/skk45GwW4W1p0HH4GX7rDviU2SXj6smRlu+4bc05WI1831AYUIuiJEJEhRjV9vwSglaP9bF01xH2zfUbF3Cqp8hhz9xlemJ71FILTOERYgYZ1R9aEYGr6xFWmmp2UXRBnFo4wehIZhaaVn0l4lZKBpuZiQCPns4wJyMQPZeea6327UOag==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData>
ComponentSpace.Saml2.XmlSecurity.Encryption.XmlEncryption: Debug: Decrypting the encrypted symmetric key using XML Encryption Syntax and Processing.
ComponentSpace.Saml2.SamlServiceProvider: Error: Receiving an SSO response from a partner identity provider has failed.

ComponentSpace.Saml2.Exceptions.SamlEncryptionException: Failed to decrypt XML.
—> ComponentSpace.Saml2.Exceptions.SamlEncryptionException: An error occurred attempting to decrypt the XML.
—> System.ArgumentNullException: Value cannot be null. (Parameter ‘key’)
at System.ArgumentNullException.Throw(String paramName)
at System.ArgumentNullException.ThrowIfNull(Object argument, String paramName)
at System.Security.Cryptography.RSAOAEPKeyExchangeDeformatter…ctor(AsymmetricAlgorithm key)
at ComponentSpace.Saml2.XmlSecurity.Encryption.RsaOaepMgf1pXmlKeyEncryptionExtension.DecryptSymmetricKey(EncryptedKey encryptedKey, AsymmetricAlgorithm keyDecryptingKey, String keyEncryptionAlgorithm)
at ComponentSpace.Saml2.XmlSecurity.Encryption.XmlEncryption.DecryptSymmetricKey(EncryptedKey encryptedKey, AsymmetricAlgorithm keyDecryptingKey, String keyEncryptionAlgorithm)
at ComponentSpace.Saml2.XmlSecurity.Encryption.XmlEncryption.Decrypt(XmlElement encryptedElement, IEnumerable1 encryptedKeyElements, AsymmetricAlgorithm keyDecryptingKey, String keyEncryptionAlgorithm, String dataEncryptionAlgorithm) --- End of inner exception stack trace --- at ComponentSpace.Saml2.XmlSecurity.Encryption.XmlEncryption.Decrypt(XmlElement encryptedElement, IEnumerable1 encryptedKeyElements, AsymmetricAlgorithm keyDecryptingKey, String keyEncryptionAlgorithm, String dataEncryptionAlgorithm)
at ComponentSpace.Saml2.SamlProvider.DecryptXml(XmlElement encryptedElement, IEnumerable`1 encryptedKeyElements, AsymmetricAlgorithm keyDecryptingKey, String keyEncryptionAlgorithm, String dataEncryptionAlgorithm)
— End of inner exception stack trace —
at ComponentSpace.Saml2.SamlServiceProvider.DecryptSamlAssertionAsync(AssertionListItem assertionListItem)
at ComponentSpace.Saml2.SamlServiceProvider.GetSamlAssertionAsync(SamlResponse samlResponse)
at ComponentSpace.Saml2.SamlServiceProvider.ProcessSamlResponseAsync(XmlElement samlResponseElement, String relayState)
at ComponentSpace.Saml2.SamlServiceProvider.ReceiveSsoAsync()

The SAML assertion is decrypted using the SP’s private key.

Does the certificate returned by GetLocalServiceProviderEncryptionCertificatesAsync include a private key?

If there’s still an issue, please send the complete SAML log file as an email attachment to support@componentspace.com.