When your X509 certificate configured in the SAML Plugin settings is not being included in the SAMLRequest, follow the steps below.
To sign the AuthNRequest sent by Matomo, you have to activate the “Sign AuthNRequest” option in “Advanced SAML Settings”. You also need to supply 1) SP Public X509cert and 2) SP private key. It is possible to use self-signed Certs. Create Self-Signed Certs on samltool.com.
Once the above steps are completed, AuthNRequest sent by Matomo will be signed (you will be able to find a signature GET parameter, if you are using HTTP redirect binding).
Note: You will need to register the SP Public x509 cert on the IdP side, in order to allow it to verify the Signature.