Samlify message signature validation on SAML Responses with encrypted assertions

[Jack-Gitter]

Hello, I'm attempting to create an IDP initiated SSO SAML Response message with an encrypted SAML assertion. The SP requires that both the message and the assertion be signed, as such my configuration looks like so:

const idp = IdentityProvider({
    metadata: readFileSync(dirname + '/metadata/idp.xml'),
    privateKey: readFileSync(dirname + '/key/private-key.pem'),
    messageSigningOrder: 'encrypt-then-sign',
    isAssertionEncrypted: true,
    requestSignatureAlgorithm:
        'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
    keyEncryptionAlgorithm: 'http://www.w3.org/2001/04/xmlenc#rsa-1_5',
});

My SP configuration looks like so

const sp = ServiceProvider({
    wantMessageSigned: true,
    metadata: readFileSync(dirname + '/metadata/file.xml'),
});

In order to generate the response, I use the following

const { context } = await idp.createLoginResponse(
    sp,
    null,
    Constants.wording.binding.post,
    {},
);

I am utilizing samltool.io in order to validate the signature on the generated response. When isAssertionEncrypted is true, the signature on the message cannot be validated. When isAssertionEncrypted is false, the signature is validated with no issues. I have tried with both 'encrypt-then-sign' and 'sign-then-encrypt' to no luck. I figured an online tool with no access to decrypt the assertion would require the 'encrypt-then-sign' variant, but regardless it doesn't seem to be able to validate the signature. Has anyone has success with this?