diff --git a/saml/saml.go b/saml/saml.go
index bd0f89892efd1dc18cd849e6830a65b0197663c8..af567b7ed60324d81d47090b92e9eec34a4d5a75 100644
--- a/saml/saml.go
+++ b/saml/saml.go
@@ -3,6 +3,7 @@ package saml
 import (
 	"crypto/rand"
 	"crypto/tls"
+	"crypto/x509"
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/xml"
@@ -213,7 +214,11 @@ func NewSAMLIDP(config *Config) (http.Handler, error) {
 		return nil, err
 	}
 
-	cert, err := tls.LoadX509KeyPair(config.CertificateFile, config.PrivateKeyFile)
+	tlsCert, err := tls.LoadX509KeyPair(config.CertificateFile, config.PrivateKeyFile)
+	if err != nil {
+		return nil, err
+	}
+	x509Cert, err := x509.ParseCertificate(tlsCert.Certificate[0])
 	if err != nil {
 		return nil, err
 	}
@@ -250,8 +255,8 @@ func NewSAMLIDP(config *Config) (http.Handler, error) {
 	// mux.Router in front in order to wrap just the ssoURL with
 	// our own SSO handler.
 	idp := &saml.IdentityProvider{
-		Key:                     cert.PrivateKey,
-		Certificate:             cert.Leaf,
+		Key:                     tlsCert.PrivateKey,
+		Certificate:             x509Cert,
 		Logger:                  logger.DefaultLogger,
 		MetadataURL:             metadataURL,
 		SSOURL:                  ssoURL,