diff --git a/app/controllers/concerns/saml_idp_auth_concern.rb b/app/controllers/concerns/saml_idp_auth_concern.rb
index f1a3bfe2d88..45630305257 100644
--- a/app/controllers/concerns/saml_idp_auth_concern.rb
+++ b/app/controllers/concerns/saml_idp_auth_concern.rb
@@ -148,12 +148,21 @@ def saml_response
       name_id_format: name_id_format,
       authn_context_classref: requested_authn_context,
       reference_id: active_identity.session_uuid,
-      encryption: current_service_provider.encryption_opts,
+      encryption: encryption_opts,
       signature: saml_response_signature_options,
       signed_response_message: current_service_provider.signed_response_message_requested,
     )
   end
 
+  def encryption_opts
+    query_params = UriService.params(request.original_url)
+    if query_params[:skip_encryption].present? && current_service_provider.skip_encryption_allowed
+      nil
+    else
+      current_service_provider.encryption_opts
+    end
+  end
+
   def saml_response_signature_options
     endpoint = SamlEndpoint.new(request)
     {
diff --git a/app/models/null_service_provider.rb b/app/models/null_service_provider.rb
index c531c8bf397..a3c29a7c836 100644
--- a/app/models/null_service_provider.rb
+++ b/app/models/null_service_provider.rb
@@ -81,6 +81,10 @@ def encrypt_responses?
 
   def encryption_opts; end
 
+  def skip_encryption_allowed
+    false
+  end
+
   def allow_prompt_login
     false
   end
diff --git a/app/models/service_provider.rb b/app/models/service_provider.rb
index 39622b28fdb..2fff2d74f7d 100644
--- a/app/models/service_provider.rb
+++ b/app/models/service_provider.rb
@@ -47,6 +47,14 @@ def encryption_opts
     }
   end
 
+  def skip_encryption_allowed
+    config = AppConfig.env.skip_encryption_allowed_list
+    return false if config.blank?
+    
+    @allowed_list ||= JSON.parse(config)
+    @allowed_list.include? issuer
+  end
+
   def live?
     active? && approved?
   end
diff --git a/config/application.yml.default b/config/application.yml.default
index 2d36ab7398c..1642bdea082 100644
--- a/config/application.yml.default
+++ b/config/application.yml.default
@@ -233,6 +233,7 @@ development:
   scrypt_cost: 10000$8$1$
   secret_key_base: development_secret_key_base
   session_encryption_key: 27bad3c25711099429c1afdfd1890910f3b59f5a4faec1c85e945cb8b02b02f261ba501d99cfbb4fab394e0102de6fecf8ffe260f322f610db3e96b2a775c120
+  skip_encryption_allowed_list: '["urn:gov:gsa:SAML:2.0.profiles:sp:sso:localhost"]'
   sps_over_quota_limit_notify_email_list: '[]'
   telephony_adapter: test
   use_dashboard_service_providers: 'true'
@@ -342,6 +343,7 @@ production:
   scrypt_cost: 10000$8$1$
   secret_key_base:
   session_encryption_key:
+  skip_encryption_allowed_list: '["urn:gov:gsa:SAML:2.0.profiles:sp:sso:dev", "urn:gov:gsa:SAML:2.0.profiles:sp:sso:int"]'
   sps_over_quota_limit_notify_email_list: '[]'
   telephony_adapter: pinpoint
   use_dashboard_service_providers: 'false'
diff --git a/spec/models/service_provider_spec.rb b/spec/models/service_provider_spec.rb
index 9aa74682834..5b05c056ac9 100644
--- a/spec/models/service_provider_spec.rb
+++ b/spec/models/service_provider_spec.rb
@@ -174,4 +174,23 @@
       end
     end
   end
+
+  describe '#skip_encryption_allowed' do
+    context 'SP in allowed list' do
+      before do
+        allow(AppConfig.env).to receive(:skip_encryption_allowed_list).
+          and_return('["http://localhost:3000"]')
+      end
+
+      it 'allows the SP to optionally skip encrypting the SAML response' do
+        expect(service_provider.skip_encryption_allowed).to be(true)
+      end
+    end
+
+    context 'SP not in allowed list' do
+      it 'does not allow the SP to optionally skip encrypting the SAML response' do
+        expect(service_provider.skip_encryption_allowed).to be(false)
+      end
+    end
+  end
 end