How to handle encrypted SAML response with openssl

Question

I'm trying to handle a encrypted SAML assertion with openssl. Sadly I'm using a programming language without a SAML library nor a fully featured crypto library. So I gotta use openssl via command line.

Here is a sample response

<EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData Type="..w3.org/2001/04/xmlenc#Element"
                            xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
            <xenc:EncryptionMethod Algorithm="...w3.org/2001/04/xmlenc#aes256-cbc"/>
            <KeyInfo xmlns="..w3.org/2000/09/xmldsig#">
                <e:EncryptedKey xmlns:e="...w3.org/2001/04/xmlenc#">
                    <e:EncryptionMethod Algorithm="...w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                        <DigestMethod Algorithm="...w3.org/2000/09/xmldsig#sha1"/>
                    </e:EncryptionMethod>
                    <KeyInfo>
                        <o:SecurityTokenReference xmlns:o="...docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                            <X509Data>
                                <X509IssuerSerial>
                                    <X509IssuerName>...</X509IssuerName>
                                    <X509SerialNumber>...</X509SerialNumber>
                                </X509IssuerSerial>
                            </X509Data>
                        </o:SecurityTokenReference>
                    </KeyInfo>
                    <e:CipherData>
                        <e:CipherValue>MGxeR4c2EiwDaCc0WietayGyv7gbH3vn9P/HeY+c7c1k8JGx/BzJ4QjozKDE6oXF1GSJ/0vj8DeUaxNNWQVB02uWP0NcMyXkdD6lNh8jID87aeo/ynXrqJTVaHdIP4if+CZOHIho7yJvSnp0hudgI+5s3505s1...</e:CipherValue>
                    </e:CipherData>
                </e:EncryptedKey>
            </KeyInfo>
            <xenc:CipherData>
                <xenc:CipherValue>2kSw6kZG8PC253q7itOQpcPkuvElzDljG4SYY5P1jI6GPDTufPrRl8VMiSqNyNsHb5RiWudhEpl4RV2UVGEbXrct5ibFfwj9VeTzrqZn0yYwsNBQFXEYBfSR5ZVXfl1GrTzmTtBdWqnnUWHfyVMgrvXXc0gQNVGCq0/gvTQdcEqb7heaRbzov/iIoqVnTsOF45Y+m1M/DvTj2ruoJfGihnEodqWvAOIOjErfj4R9q3bU+CS1NmWUEzeB6sGCaDg3+gBlCFSgKdBsO9B5VtHPkF19Cm5vN0Tx9d35Lba6CBuT51U2wdHe8GkRJwXrYP1sW9xMLf0l2LmXnxnFMViNcafx6TQJT0RGdrBvSuFWtnkFt6gm8VcNOrgRaYhQnN8Xc10PI4buaT6na/ccWyRzhv2VQvFfX3/e6bzeZcFO7u2mVqu1ZiZIEfMT2CvyZRlfDRr...</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </EncryptedAssertion>

So I know I have to decrypt the encrypted Key with my private key. The algorithm and digest are defined within the response

<e:EncryptionMethod Algorithm="...w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> <DigestMethod Algorithm="...w3.org/2000/09/xmldsig#sha1"/>

So first I base64 decoded the key value, converted it to a BLOB and wrote it on disk "key.bin". Then I used this openssl commad openssl pkeyutl -in keyDecoded.bin -decrypt -inkey PrivKey.pem -pkeyopt rsa_padding_mode:none -pkeyopt rsa_oaep_md:sha1 -pkeyopt rsa_mgf1_md:sha1 -out result.bin 'result.bin' is 256 Bytes. The encryption method for the data is AES256, so the key is supposed to be 32bytes <xenc:EncryptionMethod Algorithm="...w3.org/2001/04/xmlenc#aes256-cbc"/>

For the data decryption I start the same, base64 decode -> BLOB -> dist as "data.bin" Then I use this oppen ssl line enc -aes-256-cbc -nosalt -nopad -d -in data.bin -K 'key BLOB from step 1 to HEX -iv 'first 16 bytes from the encrypted data BLOB to HEX'

I get 'hex string is too short, padding with zero bytes to length' and ':Provider routines:ossl_cipher_generic_block_final:wrong final block length'

I tried a lot of different variations, openssl parameters and such. Can anyone help me? Or point me to the right direction? The SAML response is from Microsoft Azure btw.

Thanks!

PS I modified the hyperlinks because it got flagged as spam