diff --git a/app/controllers/saml_idp_controller.rb b/app/controllers/saml_idp_controller.rb
index bc24d75972a..5e8a95a9bec 100644
--- a/app/controllers/saml_idp_controller.rb
+++ b/app/controllers/saml_idp_controller.rb
@@ -35,8 +35,9 @@ def logout
     decode_request(raw_saml_request)
 
     # Plumb the fingerprint through to the internal service_provider representation
-    if saml_request && matching_cert
-      saml_request.service_provider.fingerprint = Fingerprinter.fingerprint_cert(matching_cert)
+    if saml_request&.service_provider
+      saml_request.service_provider.fingerprint =
+         Fingerprinter.fingerprint_cert(matching_cert || current_service_provider.ssl_certs.first)
     end
 
     track_logout_event
diff --git a/spec/controllers/saml_idp_controller_spec.rb b/spec/controllers/saml_idp_controller_spec.rb
index 01cb7552592..9e6af8fa348 100644
--- a/spec/controllers/saml_idp_controller_spec.rb
+++ b/spec/controllers/saml_idp_controller_spec.rb
@@ -43,6 +43,32 @@
 
       delete :logout, params: { SAMLRequest: 'foo' }
     end
+
+    let(:service_provider) do
+      create(:service_provider,
+             cert: nil, # override singular cert
+             certs: ['saml_test_sp'],
+             active: true)
+    end
+
+    let(:wrong_cert_settings) do
+      sp1_saml_settings.tap do |settings|
+        settings.issuer = service_provider.issuer
+        settings.certificate = File.read(Rails.root.join('certs', 'sp', 'saml_test_sp2.crt'))
+        settings.private_key = OpenSSL::PKey::RSA.new(
+          File.read(Rails.root + 'keys/saml_test_sp2.key'),
+        ).to_pem
+      end
+    end
+
+    it 'rejects requests from a wrong cert' do
+      request_url = OneLogin::RubySaml::Logoutrequest.new.create(wrong_cert_settings)
+      saml_request = UriService.params(request_url)[:SAMLRequest]
+
+      delete :logout, params: { SAMLRequest: saml_request }
+
+      expect(response).to be_bad_request
+    end
   end
 
   describe '/api/saml/metadata' do
diff --git a/spec/support/fake_saml_logout_request.rb b/spec/support/fake_saml_logout_request.rb
index 3dc89acc2b8..68fbd83783a 100644
--- a/spec/support/fake_saml_logout_request.rb
+++ b/spec/support/fake_saml_logout_request.rb
@@ -1,4 +1,6 @@
 class FakeSamlLogoutRequest
+  attr_accessor :fingerprint
+
   def service_provider
     self
   end