diff --git a/config-templates/config.php b/config-templates/config.php
index 7f426a9a005b901d22494474699fb5f392b944df..9d267be49d2f608b3e9b3d17d279ae3146b183f2 100644
--- a/config-templates/config.php
+++ b/config-templates/config.php
@@ -866,12 +866,23 @@ $config = [
      * The serving of the resources can be configured through these settings.
      */
     'assets' => [
+        /*
+         * These settings adjust the caching headers that are sent
+         * when serving static resources.
+         */
         'caching' => [
-            /**
-             * These settings adjust the caching headers that are sent
-             * when serving static resources.
+            /*
+             * Amount of seconds before the resource should be fetched again
              */
             'max_age' => 86400,
+            /*
+             * Calculate a checksum of every file and send it to the browser
+             * This allows the browser to avoid downloading assets again in situations
+             * where the Last-Modified header cannot be trusted,
+             * for example in cluster setups
+             *
+             * Defaults false
+             */
             'etag' => false,
         ],
     ],
diff --git a/lib/SimpleSAML/Module.php b/lib/SimpleSAML/Module.php
index 84d2f4a63c6687c74c9a8916937919dbce730398..31e970bbb031e758a488bea57779fecd0dafd2da 100644
--- a/lib/SimpleSAML/Module.php
+++ b/lib/SimpleSAML/Module.php
@@ -264,11 +264,17 @@ class Module
             }
         }
 
-        $assetConfig = $config->getArray('assets', ['caching' => ['max_age' => 86400, 'etag' => false]]);
+        $assetConfig = $config->getConfigItem('assets', new Configuration([], '[assets]'));
+        $cacheConfig = $assetConfig->getConfigItem('caching', new Configuration([], '[assets][caching]'));
         $response = new BinaryFileResponse($path);
-        $response->setCache(['public' => true, 'max_age' => $assetConfig['caching']['max_age']]);
+        $response->setCache([
+            // "public" allows response caching even if the request was authenticated,
+            // which is exactly what we want for static resources
+            'public' => true,
+            'max_age' => (string)$cacheConfig->getInteger('max_age', 86400)
+        ]);
         $response->setAutoLastModified();
-        if ($assetConfig['caching']['etag']) {
+        if ($cacheConfig->getBoolean('etag', false)) {
             $response->setAutoEtag();
         }
         $response->isNotModified($request);