diff --git a/docs/simplesamlphp-reference-idp-hosted.txt b/docs/simplesamlphp-reference-idp-hosted.txt
index 4cd309fd3a25722b0d7c47fc78d92a5f01948301..7d904a7109f18c978d1058711cceab99eb10fb7c 100644
--- a/docs/simplesamlphp-reference-idp-hosted.txt
+++ b/docs/simplesamlphp-reference-idp-hosted.txt
@@ -87,6 +87,12 @@ SAML 2.0 options
 
 The following SAML 2.0 options are available:
 
+`assertion.encryption`
+:   Whether assertions sent from this IdP should be encrypted. The default
+    value is `FALSE`.
+
+:   Note that this option can be set for each SP in the SP-remote metadata.
+
 `AttributeNameFormat`
 :   What value will be set in the Format field of attribute
     statements. This parameter can be configured multiple places, and
diff --git a/docs/simplesamlphp-reference-idp-remote.txt b/docs/simplesamlphp-reference-idp-remote.txt
index f69dca7d64012bc399c85c7be498cebdc5a1b204..5a8ee250eb8a0aaf1ca808cf343cee202068e8af 100644
--- a/docs/simplesamlphp-reference-idp-remote.txt
+++ b/docs/simplesamlphp-reference-idp-remote.txt
@@ -92,7 +92,11 @@ It is possible to decrypt the assertions received from an IdP. Currently the onl
 There are two modes of encryption supported by simpleSAMLphp. One is symmetric encryption, in which case both the SP and the IdP needs to share a key. The other mode is the use of public key encryption. In that mode, the public key of the SP is extracted from the certificate of the SP.
 
 `assertion.encryption`
-:   Whether assertions received from this IdP are encrypted. The default value is `FALSE`.
+:   Whether assertions received from this IdP must be encrypted. The default value is `FALSE`.
+    If this option is set to `TRUE`, assertions from the IdP must be encrypted.
+    Unencrypted assertions will be rejected.
+
+:   Note that this option overrides the option with the same name in the SP configuration.
 
 `sharedkey`
 :   Symmetric key which should be used for decryption. This should be a 128-bit key. If this option is not specified, public key encryption will be used instead.
diff --git a/docs/simplesamlphp-reference-sp-remote.txt b/docs/simplesamlphp-reference-sp-remote.txt
index 950c16305d233444cbb483a1ede63bd18b4fd696..6954a00d6250d04a2ca0e753d372c0d95a5206d7 100644
--- a/docs/simplesamlphp-reference-sp-remote.txt
+++ b/docs/simplesamlphp-reference-sp-remote.txt
@@ -215,6 +215,10 @@ of the SP.
 :   Whether assertions sent to this SP should be encrypted. The default
     value is `FALSE`.
 
+:   Note that this option also exists in the IdP-hosted metadata. This
+    entry in the SP-remote metadata overrides the option in the
+    IdP-hosted metadata.
+
 `sharedkey`
 :   Symmetric key which should be used for encryption. This should be a
     128-bit key. If this option is not specified, public key encryption
diff --git a/modules/saml/docs/sp.txt b/modules/saml/docs/sp.txt
index 72eb70136992a320cfa427bd823c9af7dfa50c96..6390e1a471a5aa9478cc01b2ebecea758a30903f 100644
--- a/modules/saml/docs/sp.txt
+++ b/modules/saml/docs/sp.txt
@@ -94,6 +94,14 @@ Here we will list some examples for this authentication source.
 Options
 -------
 
+`assertion.encryption`
+:   Whether assertions received by this SP must be encrypted. The default value is `FALSE`.
+    If this option is set to `TRUE`, unencrypted assertions will be rejected.
+
+:   Note that this option can be overridden for a specific IdP in saml20-idp-remote.
+
+:   *Note*: SAML 2 specific.
+
 `AuthnContextClassRef`
 :   The SP can request authentication with a specific authentication context class.
     One example of usage could be if the IdP supports both username/password authentication as well as software-PKI.