Unable to login using Idp in ArcGIS Enterprise. IDP supports Encrypted SAML Assertion, but sends unencrypted Assertion

Error Message

When attempting to log in to ArcGIS Enterprise with Security Assertion Markup Language (SAML), the following error is returned:

Error:   
Unable to login using Idp. IDP supports Encrypted SAML Assertion, but sends unencrypted Assertion

Cause

• The Encrypt Assertion option is enabled in Portal for ArcGIS.
• The samlcert certificate is not imported into the identity provider (IDP) portal.

Solution or Workaround

Disable the Encrypt Assertion option

1. Log in to Portal for ArcGIS and click Organization > Settings > Security.
2. In the Logins section, select the IDP.
3. On the Specify properties page, expand Show advanced settings.
4. Disable the Encrypt Assertion option.
5. Click Save.

Import the samlcert certificate into the IDP portal

Note: 
The following workaround may require the assistance of the organization's IT team.

1. Disable the Encrypt Assertion option.
   1. Log in to Portal for ArcGIS and click Organization > Settings > Security.
   2. In the Logins section, select the identity provider.
   3. On the Specify properties page, expand Show advanced settings.
   4. Disable the Encrypt Assertion option.
   5. Click Save.
2. Export the samlcert certificate.
   1. Log in to the ArcGIS Portal Administrator Directory.
   2. Click Security > SSLCertificates.
   3. Click the existing samlcert certificate.
   4. Click Export.
3. Import the samlcert certificate into the IDP portal and find the token encryption settings.
4. Activate the samlcert certificate once it is imported.
5. Enable the Encrypt Assertion option.
   1. Log in to Portal for ArcGIS and click Organization > Settings > Security.
   2. In the Logins section, select the IDP.
   3. On the Specify properties page, expand Show advanced settings.
   4. Enable the Encrypt Assertion option.
   5. Click Save.
6. Clear the browser cache and log back in using the SAML login.