diff --git a/docs/simplesamlphp-reference-idp-hosted.txt b/docs/simplesamlphp-reference-idp-hosted.txt
index 02bfcc3d86685e3f6aced3dcb01b659e920f66f9..08fa994aa261c449ffb6f0178949632351853f5a 100644
--- a/docs/simplesamlphp-reference-idp-hosted.txt
+++ b/docs/simplesamlphp-reference-idp-hosted.txt
@@ -168,6 +168,12 @@ The following SAML 2.0 options are available:
     This certificate will be added to the generated metadata of the IdP,
     which is required by some SPs when using the HTTP-Artifact binding.
 
+`nameid.encryption`
+:   Whether NameIDs sent from this IdP should be encrypted. The default
+    value is `FALSE`.
+
+:   Note that this option can be set for each SP in the [SP-remote metadata](./simplesamlphp-reference-sp-remote).
+
 `SingleSignOnService`
 :   Override the default URL for the SingleSignOnService for this
     IdP. This is an absolute URL. The default value is
diff --git a/docs/simplesamlphp-reference-idp-remote.txt b/docs/simplesamlphp-reference-idp-remote.txt
index 0edad94e632d89dee212b230c24014f4804d1dc0..71478f112cea7017b999cb666f46a5956d60f06a 100644
--- a/docs/simplesamlphp-reference-idp-remote.txt
+++ b/docs/simplesamlphp-reference-idp-remote.txt
@@ -101,6 +101,14 @@ SAML 2.0 options
 
 The following SAML 2.0 options are available:
 
+`nameid.encryption`
+:   Whether NameIDs sent to this IdP should be encrypted. The default
+    value is `FALSE`.
+
+:   Note that this option also exists in the SP configuration. This
+    entry in the IdP-remote metadata overrides the option in the
+    [SP configuration](./saml:sp).
+
 `saml2.relaxvalidation`
 :   Can be used to relax some parts of the validation of assertions received from this IdP. This is an array, and can include one or more of the following flags:
 
diff --git a/docs/simplesamlphp-reference-sp-remote.txt b/docs/simplesamlphp-reference-sp-remote.txt
index 7a5a841e6a6d47c807b03190c1ab17c2e4b9e852..20a6fda3440e3de1dcc44ae061c2363ddae1c54e 100644
--- a/docs/simplesamlphp-reference-sp-remote.txt
+++ b/docs/simplesamlphp-reference-sp-remote.txt
@@ -173,6 +173,14 @@ The following SAML 2.0 options are available:
     specified in the `simplesaml.nameidattribute`-option as the value
     of the ID.
 
+`nameid.encryption`
+:   Whether NameIDs sent to this SP should be encrypted. The default
+    value is `FALSE`.
+
+:   Note that this option also exists in the IdP-hosted metadata. This
+    entry in the SP-remote metadata overrides the option in the
+    [IdP-hosted metadata](./simplesamlphp-reference-idp-hosted).
+
 `SingleLogoutService`
 :   The URL of the SingleLogoutService endpoint for this SP.
     This option is required if you want to implement single logout for
diff --git a/modules/saml/docs/sp.txt b/modules/saml/docs/sp.txt
index 90b1f0dabeb9e121a1db66a01d819ce0d55637f5..5e5c66a0cbc8e17d9b22ddfa2064416654bbc819 100644
--- a/modules/saml/docs/sp.txt
+++ b/modules/saml/docs/sp.txt
@@ -216,6 +216,14 @@ Options
 
 :   *Note*: You must also specify at least one attribute in the `attributes` option for this element to be added to the metadata.
 
+`nameid.encryption`
+:   Whether NameIDs sent from this SP should be encrypted. The default
+    value is `FALSE`.
+
+:   Note that this option can be set for each IdP in the [IdP-remote metadata](./simplesamlphp-reference-idp-remote).
+
+:   *Note*: SAML 2 specific.
+
 `NameIDPolicy`
 :   The format of the NameID we request from the IdP.
     Defaults to the transient format if unspecified.