Skip to content
English
Contact Support
  • There are no suggestions because the search field is empty.

SSO Troubleshooting: The SAML assertion could not be decrypted

Learn about what to do if you receive this error. 

Error

During SSO, you may see this message when a user attempts to log in:

The SAML assertion could not be decrypted. Verify that certificates are valid.


Explanation

This error occurs when an X.509 certificate is invalid or there is a certificate mismatch between the identity provider (IdP) and Foundry. It typically happens only if the IdP encrypts its SAML assertions (which is generally recommended).

In a SAML implementation, two public X.509 certificates are involved:

  • One for the Identity Provider organization
  • One for the Service Provider organization

Each system must “know” the other’s certificate:

  • In the IdP configuration for the Everfi service provider, the Everfi public X.509 certificate is stored.
  • In Foundry, the IdP’s certificate (or its fingerprint) is stored, along with a reference to the specific Everfi certificate the IdP uses. This setup allows Everfi to rotate its certificates between an older and a newer one without breaking trust.

If these certificates are out of sync, decryption of SAML assertions will fail, resulting in the error message above. This can happen if:

  • The IdP’s X.509 certificate is out of sync with Foundry
  • The Everfi X.509 certificate is out of sync with the IdP
  • The certificate is incorrectly formatted


When this problem can occur

This issue rarely occurs in a stable environment. It typically happens when:

  • The Everfi X.509 certificate is changed in the IdP without updating the Foundry configuration
  • The Foundry IdP configuration is updated with the wrong certificate for the partner organization
  • The X.509 certificate is improperly formatted


How to Solve This Error

  • Verify that the X.509 certificates are synchronized across both systems.
  • Ensure the certificate entered in the Foundry IdP configuration is correctly formatted.


Technical background

This error occurs when Foundry encounters one of the following exceptions while attempting to decrypt an encrypted SAML assertion:

OpenSSL::X509::CertificateError
OpenSSL::PKey::RSAError