The following error appears in the audit logs when trying to do SAML 2.0 token decryption:
Unable to decrypt elements(s): Encryption recipient was not recognized as addressed to a private key possessed by this Gateway. Exception caught!
The solution is to export the certificate of the Private Key and import it as a Trusted Certificate on the gateway