They don't "negotiate" other than through metadata. The IdP makes a decision and the SP either supports that or doesn't, there is no round trip. In the unlikely cases the SP encrypts anything itself, the same applies. -- Scott