diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImpl.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImpl.java
index 15d7ca41d..9d804eee4 100644
--- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImpl.java
+++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImpl.java
@@ -178,6 +178,8 @@ void setupSecurity(EntityDescriptor ed, EntityDescriptorRepresentation represent
             if (securityInfoRepresentation.isWantAssertionsSigned()) {
                 getSPSSODescriptorFromEntityDescriptor(ed).setWantAssertionsSigned(true);
             }
+            // TODO: review if we need more than a naive implementation
+            ed.getOptionalSPSSODescriptor().ifPresent( i -> i.getKeyDescriptors().clear());
             if (securityInfoRepresentation.isX509CertificateAvailable()) {
                 for (SecurityInfoRepresentation.X509CertificateRepresentation x509CertificateRepresentation : securityInfoRepresentation.getX509Certificates()) {
                     KeyDescriptor keyDescriptor = createKeyDescriptor(x509CertificateRepresentation.getName(), x509CertificateRepresentation.getType(), x509CertificateRepresentation.getValue());