diff --git a/type/__matrix_synapse/files/homeserver.yaml.sh b/type/__matrix_synapse/files/homeserver.yaml.sh
index 2e7670e..f0df206 100755
--- a/type/__matrix_synapse/files/homeserver.yaml.sh
+++ b/type/__matrix_synapse/files/homeserver.yaml.sh
@@ -1727,6 +1727,13 @@ if [ -n "$SAML2_IDP_METADATA_URL" ]; then
 EOF
 fi
 
+if [ -n "$SAML2_SP_CERT" ] || [ -n "$SAML2_SP_KEY" ]; then
+	cat << EOF
+    key_file: "$SAML2_SP_KEY"
+    cert_file: "$SAML2_SP_CERT"
+EOF
+fi
+
 cat << EOF
     # Allowed clock difference in seconds between the homeserver and IdP.
     #
diff --git a/type/__matrix_synapse/man.rst b/type/__matrix_synapse/man.rst
index c368755..125a9ac 100644
--- a/type/__matrix_synapse/man.rst
+++ b/type/__matrix_synapse/man.rst
@@ -192,6 +192,12 @@ bind-address
 saml2-idp-metadata-url
   HTTP(S) url to SAML2 Identity Provider (IdP), used for Single Sign On (SSO) logic.
 
+saml2-sp-key
+  Path to PEM-formatted key file for use by PySAML2.
+
+saml2-sp-cert
+  Path to PEM-formatted cert file for use by PySAML2.
+
 extra-setting
   Arbitrary string to be added to the configuration file. Can be specified multiple times.
 
diff --git a/type/__matrix_synapse/manifest b/type/__matrix_synapse/manifest
index 8ba9152..078d395 100755
--- a/type/__matrix_synapse/manifest
+++ b/type/__matrix_synapse/manifest
@@ -200,6 +200,24 @@ if [ -f "$__object/parameter/saml2-idp-metadata-url" ]; then
     export SAML2_IDP_METADATA_URL
 fi
 
+if [ -f "$__object/parameter/saml2-sp-key" ]; then
+    SAML2_SP_KEY=$(cat "$__object/parameter/saml2-sp-key")
+    export SAML2_SP_KEY
+fi
+
+if [ -f "$__object/parameter/saml2-sp-cert" ]; then
+    SAML2_SP_CERT=$(cat "$__object/parameter/saml2-sp-cert")
+    export SAML2_SP_CERT
+fi
+
+if [ -n "$SAML2_SP_KEY" ] && [ -z "$SAML2_SP_CERT" ]; then
+  echo "--saml2-sp-cert must be set if --saml2-sp-key is provided." >&2
+  exit 1
+elif [ -n "$SAML2_SP_CERT" ] && [ -z "$SAML2_SP_KEY" ]; then
+  echo "--saml2-sp-key must be set if --saml2-sp-cert is provided." >&2
+  exit 1
+fi
+
 if [ -f "$__object/parameter/default-identity-server" ]; then
     DEFAULT_IDENTITY_SERVER=$(cat "$__object/parameter/default-identity-server")
     export DEFAULT_IDENTITY_SERVER
diff --git a/type/__matrix_synapse/parameter/optional b/type/__matrix_synapse/parameter/optional
index 599e00b..be44ca7 100644
--- a/type/__matrix_synapse/parameter/optional
+++ b/type/__matrix_synapse/parameter/optional
@@ -37,4 +37,6 @@ tls-cert
 tls-private-key
 registration-shared-secret
 saml2-idp-metadata-url
+saml2-sp-key
+saml2-sp-cert
 default-identity-server