SAML 2.0 Response handling should have a better error message when decryption is not allowed

[jzheaux]

In Security 5.5, if a response cannot be decrypted due to the response being unsigned, the error message is misleading. The error message should explain that the response is encrypted, but unsigned and because of that, it will not be decrypted.

[svschouw-bb]

I just spent a few hours debugging, only to find out this was the issue.

[svschouw-bb]

Not sure if this is related or should be a new ticket, but I notice that OpenSamlMetadataResolver sets the WantAssertionsSigned to true. I still need to confirm this, but I found at least one StackOverflow comment saying that setting this to true means Identity Providers will sign the assertions instead of the response, leading to this problem.

[jzheaux]

Thanks, @svschouw-bb. I believe you may be right. Will you please file a separate ticket to make so that WantAssertionsSigned is left unset?