Have you tried to extend the SAML2EncryptionHandler and use the incoming request (and SAML message. eg: AuthnRequest) to decide whether encryption should be enabled or not ?