Make sure to look for Assertion or EncryptedAssertion in the Response specifically. The Advice section can also include Assertions or EncryptedAssertions, and should be ignored.

Alexander Schrijver · Alexander Schrijver · commit cdd0e9ca27ad · 2021-01-14T16:50:00.000+01:00
diff --git a/src/onelogin/saml2/response.py b/src/onelogin/saml2/response.py
@@ -661,8 +661,8 @@ def validate_num_assertions(self):
         :returns: True if only 1 assertion encrypted or not
         :rtype: bool
         """
-        encrypted_assertion_nodes = OneLogin_Saml2_XML.query(self.document, '//saml:EncryptedAssertion')
-        assertion_nodes = OneLogin_Saml2_XML.query(self.document, '//saml:Assertion')
+        encrypted_assertion_nodes = OneLogin_Saml2_XML.query(self.document, '/samlp:Response/saml:EncryptedAssertion')
+        assertion_nodes = OneLogin_Saml2_XML.query(self.document, '/samlp:Response/saml:Assertion')
 
         valid = len(encrypted_assertion_nodes) + len(assertion_nodes) == 1
 
