Mismatch of "Signature algorithm" and selected certificate causes generic server error

[patschi]

Describe the bug

When downloading metadata, server error occurs:

Also the error message is very, very vague.

How to reproduce

1. Create a SAML provider (any fake data is sufficient)
2. Ensure a RSA certificate is present, e.g. the default authentik Self-signed Certificate
   
3. Set "Signing Certificate" to the above certificate:
   
4. Under the Advanced protocol settings (accidentally) pick any ECDSA-* selection:
   

Expected behavior

I understand this somewhat being expected and technically not possible. However, I've started setting up Nextcloud with SAML with Authentik and realized Nextcloud's user_saml app is not working with ECDSA certificates, hence reverted back to RSA.

But I completely overlooked adjusting the Signature algorithm at the very bottom of the settings page. I have literally banging my head why my SAML configuration is not working, until I realized the entire metadata feature being broken.

Overall, it probably wasted around heavily-frustrating 2-3 hours of my time. I'd appreciate at least some client-sided JavaScript checks (e.g. greying them out), not being able to save it in the first place or more obvious error message in logs or in UI.

Screenshots

No response

Additional context

No response

Deployment Method

Docker

Version

2025.10.3 + 2025.12.0-rc2 (clean test-install)

Relevant log output

server-1      | {"event": "Internal Server Error: /api/v3/providers/saml/2/metadata/", "exception": [{"exc_notes": [], "exc_type": "Error", "exc_value": "(1, 'failed to sign')", "exceptions": [], "frames": [{"filename": "/ak-root/.venv/lib/python3.13/site-packages/asgiref/sync.py", "lineno": 555, "name": "thread_handler"}, {"filename": "/ak-root/.venv/lib/python3.13/site-packages/django/core/handlers/exception.py", "lineno": 42, "name": "inner"}, {"filename": "/ak-root/.venv/lib/python3.13/site-packages/asgiref/sync.py", "lineno": 555, "name": "thread_handler"}, {"filename": "/ak-root/.venv/lib/python3.13/site-packages/django/core/handlers/base.py", "lineno": 253, "name": "_get_response_async"}, {"filename": "/ak-root/.venv/lib/python3.13/site-packages/asgiref/sync.py", "lineno": 504, "name": "__call__"}, {"filename": "/ak-root/.venv/lib/python3.13/site-packages/asgiref/current_thread_executor.py", "lineno": 40, "name": "run"}, {"filename": "/ak-root/.venv/lib/python3.13/site-packages/asgiref/sync.py", "lineno": 559, "name": "thread_handler"}, {"filename": "/ak-root/.venv/lib/python3.13/site-packages/django/views/decorators/csrf.py", "lineno": 65, "name": "_view_wrapper"}, {"filename": "/ak-root/.venv/lib/python3.13/site-packages/rest_framework/viewsets.py", "lineno": 125, "name": "view"}, {"filename": "/ak-root/.venv/lib/python3.13/site-packages/rest_framework/views.py", "lineno": 515, "name": "dispatch"}, {"filename": "/ak-root/.venv/lib/python3.13/site-packages/rest_framework/views.py", "lineno": 475, "name": "handle_exception"}, {"filename": "/ak-root/.venv/lib/python3.13/site-packages/rest_framework/views.py", "lineno": 486, "name": "raise_uncaught_exception"}, {"filename": "/ak-root/.venv/lib/python3.13/site-packages/rest_framework/views.py", "lineno": 512, "name": "dispatch"}, {"filename": "/authentik/providers/saml/api/providers.py", "lineno": 293, "name": "metadata"}, {"filename": "/authentik/providers/saml/processors/metadata.py", "lineno": 193, "name": "build_entity_descriptor"}, {"filename": "/authentik/providers/saml/processors/metadata.py", "lineno": 161, "name": "_sign"}], "is_cause": false, "is_group": false, "syntax_error": null}], "level": "error", "logger": "django.request", "timestamp": "2026-01-01T06:09:14.829037"}

[PeshekDotDev]

PR #17614 will prevent users from being able to make this mistake. Hopefully it hasn't caused you too much headache, I'm trying to go through and really polish out the user experience for setting up SAML providers