it is set to 10y now for 3.x
just so you know, there still could be a bug in php-saml-sp (or simpleSAMLphp).
At least php-saml-sp does work with Shibboleth IdPs with EncryptedAssertion, but we'll look at that then...
Thanks for the trace. Whatever the exact error is, for sure it won't work as the encryption is done using "http://www.w3.org/2001/04/xmlenc#aes128-cbc", which is not supported by php-saml-sp for security reasons (it is very broken). We only support aes-256-gcm, so that would have to be fixed. I am not sure whether simpleSAMLphp now supports aes-256-gcm for EncryptedAssertion, but I saw some work on xmlseclib regarding aes-256-gcm.
If you want to have the legacy encryption working I'd recommend using Shibboleth-SP instead of php-saml-sp... See https://github.com/eduvpn/documentation/blob/v2/SAML.md for Shib instructions on Debian and CentOS.
Which IdP (software) is used? Would it be possible to either provide a "SAML Trace" (https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/) or provide access to a test account? You can either wait until the assertion is no longer valid, or provide it by e.g. mail.
We did not test all IdPs, only a subset of them, so it may be we missed some...