diff --git a/Cargo.lock b/Cargo.lock
index e691830e4b..f9c472d0c0 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -8303,9 +8303,9 @@ checksum = "a1d01941d82fa2ab50be1e79e6714289dd7cde78eba4c074bc5a4374f650dfe0"
 
 [[package]]
 name = "quick-xml"
-version = "0.31.0"
+version = "0.33.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1004a344b30a54e2ee58d66a71b32d2db2feb0a31f9a2d302bf0536f15de2a33"
+checksum = "0ca7dd09b5f4a9029c35e323b086d0a68acdc673317b9c4d002c6f1d4a7278c6"
 dependencies = [
  "memchr",
  "serde",
@@ -9189,9 +9189,9 @@ dependencies = [
 
 [[package]]
 name = "samael"
-version = "0.0.15"
+version = "0.0.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5da862a2115c0767681e28309a367dbd0a2366026948aae0272787e582d71eaf"
+checksum = "6c3e9664150c82db0eba06db746594e1e8e092c5c91986ee0fe46c0619fb159f"
 dependencies = [
  "base64 0.22.1",
  "bindgen",
diff --git a/Cargo.toml b/Cargo.toml
index cace946df8..49b6e0de44 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -528,7 +528,7 @@ rustfmt-wrapper = "0.2"
 rustls = "0.22.2"
 rustls-pemfile = "2.1.3"
 rustyline = "14.0.0"
-samael = { version = "0.0.15", features = ["xmlsec"] }
+samael = { version = "0.0.17", features = ["xmlsec"] }
 schemars = "0.8.21"
 secrecy = "0.8.0"
 semver = { version = "1.0.23", features = ["std", "serde"] }
diff --git a/nexus/auth/src/authn/silos.rs b/nexus/auth/src/authn/silos.rs
index 40b6346fa0..b451149d03 100644
--- a/nexus/auth/src/authn/silos.rs
+++ b/nexus/auth/src/authn/silos.rs
@@ -107,7 +107,9 @@ impl SamlIdentityProvider {
 
         let authn_request_url = if let Some(key) = self.private_key_bytes()? {
             // sign authn request if keys were supplied
-            authn_request.signed_redirect(&encoded_relay_state, &key)
+            let pkey = openssl::pkey::PKey::private_key_from_der(&key)
+                .map_err(|e| anyhow!(e.to_string()))?;
+            authn_request.signed_redirect(&encoded_relay_state, pkey)
         } else {
             authn_request.redirect(&encoded_relay_state)
         }
@@ -294,10 +296,7 @@ impl SamlIdentityProvider {
             )
         })?;
 
-        let signature_algorithm: String =
-            assertion_signature.signed_info.signature_method.algorithm;
-
-        match signature_algorithm.as_str() {
+        match assertion_signature.signed_info.signature_method.algorithm.value()  {
             // List taken from Signature section of
             // https://www.w3.org/TR/xmldsig-core1/#sec-AlgID, removing
             // discouraged items.
@@ -314,7 +313,7 @@ impl SamlIdentityProvider {
             "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512" |
             "http://www.w3.org/2009/xmldsig11#dsa-sha256" => {}
 
-            _ => {
+            signature_algorithm => {
                 return Err(
                     HttpError::for_bad_request(
                         None,