diff --git a/app/controllers/concerns/saml_idp_auth_concern.rb b/app/controllers/concerns/saml_idp_auth_concern.rb
index 499081f34ff..265f696507a 100644
--- a/app/controllers/concerns/saml_idp_auth_concern.rb
+++ b/app/controllers/concerns/saml_idp_auth_concern.rb
@@ -158,8 +158,10 @@ def encryption_opts
     if query_params[:skip_encryption].present? && current_service_provider&.skip_encryption_allowed
       nil
     elsif current_service_provider&.encrypt_responses?
+      cert = saml_request.service_provider.matching_cert ||
+             current_service_provider&.ssl_certs&.first
       {
-        cert: saml_request.service_provider.matching_cert,
+        cert: cert,
         block_encryption: current_service_provider&.block_encryption,
         key_transport: 'rsa-oaep-mgf1p',
       }
diff --git a/spec/controllers/saml_idp_controller_spec.rb b/spec/controllers/saml_idp_controller_spec.rb
index caa535f18e8..01ab49dade6 100644
--- a/spec/controllers/saml_idp_controller_spec.rb
+++ b/spec/controllers/saml_idp_controller_spec.rb
@@ -430,6 +430,16 @@ def name_id_version(format_urn)
       end
     end
 
+    let(:second_cert_settings) do
+      saml_settings.tap do |settings|
+        settings.issuer = service_provider.issuer
+        settings.certificate = File.read(Rails.root.join('certs', 'sp', 'saml_test_sp2.crt'))
+        settings.private_key = OpenSSL::PKey::RSA.new(
+          File.read(Rails.root + 'keys/saml_test_sp2.key'),
+        ).to_pem
+      end
+    end
+
     context 'service provider has multiple certs' do
       let(:service_provider) do
         create(
@@ -445,16 +455,6 @@ def name_id_version(format_urn)
         end
       end
 
-      let(:second_cert_settings) do
-        saml_settings.tap do |settings|
-          settings.issuer = service_provider.issuer
-          settings.certificate = File.read(Rails.root.join('certs', 'sp', 'saml_test_sp2.crt'))
-          settings.private_key = OpenSSL::PKey::RSA.new(
-            File.read(Rails.root + 'keys/saml_test_sp2.key'),
-          ).to_pem
-        end
-      end
-
       it 'encrypts the response to the right key' do
         user = create(:user, :signed_up)
         generate_saml_response(user, second_cert_settings)
@@ -468,6 +468,22 @@ def name_id_version(format_urn)
       end
     end
 
+    context 'service provider has the wrong certs' do
+      let(:service_provider) do
+        create(
+          :service_provider,
+          certs: ['saml_test_sp'],
+          active: true,
+        )
+      end
+
+      it 'deoes not blow up' do
+        user = create(:user, :signed_up)
+
+        expect { generate_saml_response(user, second_cert_settings) }.to_not raise_error
+      end
+    end
+
     context 'POST to auth correctly stores SP in session' do
       before do
         @user = create(:user, :signed_up)