diff --git a/authentik/providers/saml/processors/assertion.py b/authentik/providers/saml/processors/assertion.py
index e16d589e64e6..c0bd0e2101ae 100644
--- a/authentik/providers/saml/processors/assertion.py
+++ b/authentik/providers/saml/processors/assertion.py
@@ -320,14 +320,6 @@ def get_assertion(self) -> Element:
                 ns=xmlsec.constants.DSigNs,
             )
             assertion.append(signature)
-        if self.provider.encryption_kp:
-            encryption = xmlsec.template.encrypted_data_create(
-                assertion,
-                xmlsec.constants.TransformAes128Cbc,
-                self._assertion_id,
-                ns=xmlsec.constants.DSigNs,
-            )
-            assertion.append(encryption)
 
         assertion.append(self.get_assertion_subject())
         assertion.append(self.get_assertion_conditions())
@@ -403,6 +395,13 @@ def _sign(self, element: Element):
 
     def _encrypt(self, element: Element, parent: Element):
         """Encrypt SAMLResponse EncryptedAssertion Element"""
+        # Create a standalone copy so namespace declarations are included in the encrypted content
+        element_xml = etree.tostring(element)
+        standalone_element = etree.fromstring(element_xml)
+
+        # Remove the original element from the tree since we're replacing it with encrypted version
+        parent.remove(element)
+
         manager = xmlsec.KeysManager()
         key = xmlsec.Key.from_memory(
             self.provider.encryption_kp.key_data,
@@ -429,11 +428,10 @@ def _encrypt(self, element: Element, parent: Element):
         xmlsec.template.encrypted_data_ensure_cipher_value(enc_key)
 
         try:
-            enc_data = encryption_context.encrypt_xml(enc_data, element)
+            enc_data = encryption_context.encrypt_xml(enc_data, standalone_element)
         except xmlsec.Error as exc:
             raise InvalidEncryption() from exc
 
-        parent.remove(enc_data)
         container.append(enc_data)
 
     def build_response(self) -> str: