Learn more about the latest product updates at the Checkmk Conference #12 – live from June 16-17! Watch here
back to website

Werk #20083: SAML: advertise the encryption certificate in the metadata

Component Setup, site management
Title SAML: advertise the encryption certificate in the metadata
Date Jun 5, 2026
Level Trivial Change
Class Bug Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
3.0.0b1
Not yet released 		Checkmk Pro, Checkmk Ultimate, Checkmk Cloud, Checkmk Ultimate MT
2.5.0p6 Checkmk Pro, Checkmk Ultimate, Checkmk Cloud, Checkmk Ultimate MT
2.4.0p32
Not yet released 		Checkmk Pro, Checkmk Ultimate, Checkmk Cloud, Checkmk Ultimate MT

When an encryption certificate is configured for a SAML connection, Checkmk uses the corresponding private key to decrypt encrypted assertions sent by the identity provider (IdP). However, the service provider metadata that Checkmk publishes did not include that certificate. IdPs therefore had no way to learn which key they should encrypt to, so depending on the IdP the encryption certificate had to be entered manually or encryption did not work at all.

If an encryption certificate is configured, the published service provider metadata now contains a <md:KeyDescriptor use="encryption"> entry with the certificate.

To the list of all Werks