The certificate used for signing and encryption is generated automatically during the plugin-installation. It can be replaced or regenerated in the Service Provider-tab.

This certificate is included in the SAML-metadata so that it is available to the Identity Provider after importing metadata. This inclusion can be controlled with the settings. 

Include Signing Certificate in Metadata and Include Encryption Certificate in Metadata in the Service Provider-tab.


SAML Single Sign On can sign outgoing SAML-requests and handle encrypted SAML-responses.

The option to sign requests is set per IdP-configuration with the parameter Sign Authentication Requests and is enabled by default.


SAML Single Sign On can decrypt encrypted SAML-responses or assertions. This requires no further configuration on the Plugin as long as the certificate is known to the IdP e.g. by including it in the metadata (see above) or importing it manually.