diff --git a/internal/api/saml.go b/internal/api/saml.go
index def4e3912..eca05904b 100644
--- a/internal/api/saml.go
+++ b/internal/api/saml.go
@@ -89,7 +89,7 @@ func (a *API) SAMLMetadata(w http.ResponseWriter, r *http.Request) error {
 		var keyDescriptors []saml.KeyDescriptor
 
 		for _, kd := range spd.KeyDescriptors {
-			if kd.Use == "signing" {
+			if kd.Use == "signing" || (a.config.SAML.AllowEncryptedAssertions && kd.Use == "encryption") {
 				keyDescriptors = append(keyDescriptors, kd)
 			}
 		}
diff --git a/internal/conf/saml.go b/internal/conf/saml.go
index 246868ed6..66a820caf 100644
--- a/internal/conf/saml.go
+++ b/internal/conf/saml.go
@@ -17,6 +17,7 @@ import (
 type SAMLConfiguration struct {
 	Enabled                  bool          `json:"enabled"`
 	PrivateKey               string        `json:"-" split_words:"true"`
+	AllowEncryptedAssertions bool          `json:"allow_encrypted_assertions" split_words:"true"`
 	RelayStateValidityPeriod time.Duration `json:"relay_state_validity_period" split_words:"true"`
 
 	RSAPrivateKey *rsa.PrivateKey   `json:"-"`
@@ -111,6 +112,10 @@ func (c *SAMLConfiguration) PopulateFields(externalURL string) error {
 		},
 	}
 
+	if c.AllowEncryptedAssertions {
+		certTemplate.KeyUsage = certTemplate.KeyUsage | x509.KeyUsageDataEncipherment
+	}
+
 	certDer, err := x509.CreateCertificate(nil, certTemplate, certTemplate, c.RSAPublicKey, c.RSAPrivateKey)
 	if err != nil {
 		return err