SSO Troubleshooting: The SAML assertion could not be decrypted

During single sign‑on, a user attempts to log in and Foundry displays the following error:

The SAML assertion could not be decrypted. Verify that certificates are valid.

This means Foundry was unable to decrypt the SAML assertion sent by the identity provider.

This error occurs when there is an invalid or mismatched X.509 certificate between the identity provider (IdP) and Foundry.

This issue typically appears only when the identity provider encrypts SAML assertions, which is generally recommended.

In a SAML integration:

In Foundry:

The IdP’s certificate (or certificate fingerprint) is stored
Foundry also tracks which Foundry certificate the IdP is using so certificates can be rotated without breaking trust

If these certificates are out of sync, improperly formatted, or incorrect, Foundry cannot decrypt the assertion.

This error is uncommon in stable environments. It most often occurs when:

The Foundry X.509 certificate is changed in the IdP but not updated in Foundry
The Foundry IdP configuration contains the wrong certificate for the partner organization
An X.509 certificate is improperly formatted

Verify the X.509 certificates are synchronized between Foundry and your identity provider
Confirm the certificate entered in the Foundry IdP configuration:
- Matches the certificate used by the identity provider
- Is correctly formatted
If certificates were recently rotated, ensure both systems reference the same active certificate

After updating the configuration, retry the SSO login.

This error occurs when Foundry encounters one of the following exceptions while attempting to decrypt an encrypted SAML assertion:

OpenSSL::X509::CertificateError
OpenSSL::PKey::RSAError

Learn how to resolve a SAML decryption error caused by certificate issues