diff --git a/lib/IdP/ADFS.php b/lib/IdP/ADFS.php
index 58ad145..072a668 100644
--- a/lib/IdP/ADFS.php
+++ b/lib/IdP/ADFS.php
@@ -140,7 +140,7 @@ private static function generateResponse($issuer, $target, $nameid, $attributes,
      * @param string $algo
      * @return string
      */
-    private static function signResponse($response, $key, $cert, $algo)
+    private static function signResponse($response, $key, $cert, $algo, $passphrase)
     {
         $objXMLSecDSig = new XMLSecurityDSig();
         $objXMLSecDSig->idKeys = ['AssertionID'];
@@ -160,6 +160,9 @@ private static function signResponse($response, $key, $cert, $algo)
         );
 
         $objKey = new XMLSecurityKey($algo, ['type' => 'private']);
+        if (is_string($passphrase)) {
+            $objKey->passphrase = $passphrase;
+        }
         $objKey->loadKey($key, true);
         $objXMLSecDSig->sign($objKey);
         if ($cert) {
@@ -364,12 +367,13 @@ public static function sendResponse(array $state)
 
         $privateKeyFile = \SimpleSAML\Utils\Config::getCertPath($idpMetadata->getString('privatekey'));
         $certificateFile = \SimpleSAML\Utils\Config::getCertPath($idpMetadata->getString('certificate'));
+        $passphrase = $idpMetadata->getString('privatekey_pass', null);
 
         $algo = $spMetadata->getString('signature.algorithm', null);
         if ($algo === null) {
             $algo = $idpMetadata->getString('signature.algorithm', XMLSecurityKey::RSA_SHA256);
         }
-        $wresult = ADFS::signResponse($response, $privateKeyFile, $certificateFile, $algo);
+        $wresult = ADFS::signResponse($response, $privateKeyFile, $certificateFile, $algo, $passphrase);
 
         $wctx = $state['adfs:wctx'];
         $wreply = $state['adfs:wreply'] ? : $spMetadata->getValue('prp');