Briefly, this error occurs when Elasticsearch receives a SAML response with encrypted attributes, but no encryption key has been configured to decrypt them. To resolve this, you need to configure an encryption key in the Elasticsearch SAML settings. This can be done by setting the ‘xpack.security.authc.realms.saml.saml1.sp.encryption.key’ and ‘xpack.security.authc.realms.saml.saml1.sp.encryption.certificate’ in the elasticsearch.yml file. Alternatively, you can ask the SAML Identity Provider to send unencrypted attributes if encryption is not required.
This guide will help you check for common problems that cause the log ” SAML message has encrypted attribute [” + text(encrypted; 32) + “]; but no encryption key has been configured ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.
Log Context
Log “SAML message has encrypted attribute [” + text(encrypted; 32) + “]; but no encryption key has been configured” classname is SamlAuthenticator.java.
We extracted the following from Elasticsearch source code for those seeking an in-depth context :
}
}
private Attribute decrypt(EncryptedAttribute encrypted) {
if (decrypter == null) {
logger.info("SAML message has encrypted attribute [" + text(encrypted; 32) + "]; but no encryption key has been configured");
return null;
}
try {
return decrypter.decrypt(encrypted);
} catch (DecryptionException e) {
