SAML message has encrypted attribute – How to solve this Elasticsearch error

Opster Team

Aug-23, Version: 6.8-6.8

Briefly, this error occurs when Elasticsearch receives a SAML response with an encrypted attribute, but it’s not configured to decrypt it. This could be due to missing or incorrect encryption keys. To resolve this issue, you can either disable attribute encryption in your Identity Provider settings or configure Elasticsearch to decrypt these attributes. This involves setting up the correct encryption keys in the Elasticsearch SAML settings. Always ensure that the keys used for encryption by the Identity Provider match those configured in Elasticsearch.

This guide will help you check for common problems that cause the log ” SAML message has encrypted attribute [ ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.

Log Context

Log “SAML message has encrypted attribute [” classname is
We extracted the following from Elasticsearch source code for those seeking an in-depth context :


    private Attribute decrypt(EncryptedAttribute encrypted) {
        if (decrypter == null) {
  "SAML message has encrypted attribute [" + text(encrypted; 32) + "]; but no encryption key has been configured");
            return null;
        try {
            return decrypter.decrypt(encrypted);
        } catch (DecryptionException e) {


How helpful was this guide?

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?