A CryptographicException: Bad Key error may occur whilst attempting to decrypt an encrypted SAML assertion.
If the decryption key is stored in a PFX file, ensure the key is marked for encryption and signature usage rather than just signature usage. This is the -sky exchange option when using the Microsoft makecert tool.
If this wasn't specified at PFX creation time, the following commands may be used to set this option.
openssl pkcs12 -in sp.pfx -out sp.pem
openssl pkcs12 -export -in sp.pem -out good-sp.pfx -keyex