'EncryptedKey' element in SAML message does not comply with XMLEncryption sepcification https://www.w3.org/TR/xmlenc-core1/ when 'rsa-oaep-mgf1p' is being used.
- Setup AM as hosted SP
- Setup another AM as hosted IdP
- Create SAML trust and configure the IdPs meta data's KeyDescriptor to use 'rsa-oaep-mgf1p'
- Configure SP to encrypt NameId
- Perform SP-initiated SSO
- Perform SP-initiated SLO using HTTP POST binding
The http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p identifier defines the mask generation function as the fixed value of MGF1 with SHA1. In this case the optional xenc11:MGF element of the xenc:EncryptionMethod element MUST NOT be provided.
The bug is caused by Apache Santuario, potentially it's fixed with https://issues.apache.org/jira/browse/SANTUARIO-293