When we have started working on the passport-saml service provider, we didn’t try the encryption of the requests and responses. Now, the responses sent by IDP are not encrypted. It is good to have the requests and responses encrypted. I tried encryption on my local computer and is working fine. It just needs a couple of configuration changes on the passport saml options. I have made the changes in this merge request. Please place the idp-signing cert in the appropriate place where you store the certificates. Also, for encrypting requests (in decrypt private key option) an existing key can be used or new ssl key can be generated using openssl. Please, send me the public key, which I can add to the metadata.