...
In some cases, you may require encrypted assertions. This can be enabled after setup under in the SAML Response section of Advanced SAML settings:
...
Once enabled, the metadata endpoint will publish both a signing and encryption key, and the IDP is required to both sign and encrypt assertions using the key. Regular non-encrypted assertions will no longer be accepted.
...