This was long pending and some people asked for it. You can now configure a decryption certificate in the admin area and use that to decrypt incoming SAML tokens via WS-Federation:

So far I have only tested with my ADFS as an identity provider. If you find a problem, please let me know.