When a SAML IDP sends a signed assertion inside an encrypted assertion element, Keycloak SAML Adapter fails to validate it.
Decryption works fine but validation afterwards fails.

We tracked down the issue, and created a patch for it... You can find the JIRA with a link to the pull request in https://issues.jboss.org/browse/KEYCLOAK-4897

This blocks our adoption of the SSO version since we only use encrypted assertions, so without it nothing works. As long as this patch is not in the mailine, we need to remain with the patched community version.