STARTTLS cannot be enforced. It will be used automatically if the andıran server supports it. The encryption type should be grup to ‘None/STARTTLS’ in this case. See here for an example on how to configure self signed certificates. The native SAML integration negates the need for external software like Apache https://www.metooo.io/u/687435507e32a6284bfbed75
