Handling encrypted SAML assertions in response

We've implemented SAML authentication for our application where we are the service provider and various other entities are the identity providers. We've done successful connections with several identity providers including Okta, Duo Mobile, Ping Identity, and Azure. Validating the SAML response with signed assertions has been working great. Now, I am trying implement support for the SAML assertions in the response being encrypted for a new identity provider and struggling to understand procedurally how to go about this. From the sample XML below, I assume I need to decrypt the <CipherData> element under <EncryptedKey> then use that decrypted key to decrypt the <CipherData> that's a child of <EncryptedData>. I'm at a loss as to how we actually go about doing that. Has anyone done this in CoS or have some general advice on how to proceed? Thanks!

   <saml:EncryptedAssertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
       <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
           <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
           <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
               <xenc:EncryptedKey>
                   <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
                   <xenc:CipherData>
                       <xenc:CipherValue>P4lsS...</xenc:CipherValue>
                   </xenc:CipherData>
               </xenc:EncryptedKey>
           </ds:KeyInfo>
           <xenc:CipherData>
               <xenc:CipherValue>m3qvG9...</xenc:CipherValue>
           </xenc:CipherData>
       </xenc:EncryptedData>
   </saml:EncryptedAssertion>