Because xml-encryption.decrypt tries to decrypt the "EncryptedKey" (https://github.com/auth0/node-xml-encryption/blob/master/lib/xmlenc.js#L129) before decrypting "EncryptedData", need to pass the entire "EncryptedAssertion" to xml-encryption.decrypt, so the "EncryptedKey -> EncryptedMethod" can be found with a signed SamlRespone, with a signed and encrypted Assertion. Per the spec (http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd), the "EncryptedData" and "EncryptedKey" are separate AND the "EncryptedKey" can be referenced from the "EncryptedData"
... which is happening in the attached assertion.
saml_assertion_refs_EncryptedKey.xml.txt
Because xml-encryption.decrypt tries to decrypt the "EncryptedKey" (https://github.com/auth0/node-xml-encryption/blob/master/lib/xmlenc.js#L129) before decrypting "EncryptedData", need to pass the entire "EncryptedAssertion" to xml-encryption.decrypt, so the "EncryptedKey -> EncryptedMethod" can be found with a signed SamlRespone, with a signed and encrypted Assertion. Per the spec (http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd), the "EncryptedData" and "EncryptedKey" are separate AND the "EncryptedKey" can be referenced from the "EncryptedData"
... which is happening in the attached assertion.
saml_assertion_refs_EncryptedKey.xml.txt