SAML metadata not created/updated with real certificate as signing certificate

[cheggerdev]

Describe the bug
When I create a SAML provider with a real certificate (e.g. Let's Encrypt) for signing then the metadata is not created or updated. Trying to download the metadata fails in consequence.
The bug does not happen when there is no certificate or a generated certificate selected for signing.

To Reproduce
Steps to reproduce the behavior:

1. Create a SAML provider
2. As signing certificate select a real certificate (e.g. Let's Encrypt) imported via the certs-docker-mountpoint
3. Click Finish
4. View SAML Provider Metadata
5. See missing Metadata

Expected behavior
Metadata should be created/updated no matter of the signing certificate

Version and Deployment (please complete the following information):

• authentik version: 2025.6.3
• Deployment: docker-compose

[cheggerdev]

The certificates key is not RSA but ECC encrypted. That might make the difference if ECC is not supported ...

[PeshekDotDev]

When you created the provider, did you manually set the signature algorithm to ECDSA-SHA256 (or other appropriate option) under Advanced Protocol Settings?

[cheggerdev]

Damit! No, I did not. It was on RSA-SHA256. Changing it to ECDSA solves the issue on the authentik side I described above.

On the Zabbix side I get "We have no idea about the key".

[BeryJu]

Just as a side point, it is generally not recommended to use Let's Encrypt or other short-lived "real" certificates for SAML/OIDC as the main thing that matters there is that the signature is valid, and a frequently changing cert is more trouble cc @ConzorKingKong we should probably mention this in the docs

[cheggerdev]

Question: When a self-generated certificate expires after one year does this matter, too? The signature will be still valid.

[BeryJu]

It depends on the application but a lot of them only care for the validity of the signature and not the expiration of the cert

[authentik-automation]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.