In both the SAML for ASP.NET and SAML for ASP.NET Core products, we support encrypting the NameID included in the SAML logout request. However, neither product supports decrypting the NameID in the SAML assertion.
It's extremely rare to see the NameID or SAML attributes encrypted. Instead, it's much more common and makes more sense to encrypt the entire SAML assertion if more privacy beyond that provided by the transport layer security is required.
Is there any possibility the IdP can encrypt the SAML assertion rather than just the NameID?