I have been able to federate a portal with an ADFS identity provider over SAML2 and verified this works fine. I would like to encrypt the claims contained in the SAML2 token, however I am unsure how to configure this out of the box with a portal.
I can confirm that the SAML2 claims are encrypted correctly by ADFS, but the portal is not able to decrypt the token and throws a 404.
I performed the following steps:
1. Modified the web config to include:
a. Certificate reference to the encryption certificate in the microsoft.identitymodel service section
b. Added the Microsoft.IdentityModel.Tokens.EncryptedSecurityTokenHandler handler in the microsoft.identitymodel service section
2. Granted the portal application pool account read permission to the private key.
My guess is that the EncryptedSecurityTokenHandler only knows how to handle SAML1.1 tokens issued by a WS-Federation IDP. If that is the case, how can I configure the portal to decrypt the SAML2 token?