diff --git a/ee/app/models/saml_provider.rb b/ee/app/models/saml_provider.rb
index c7dde15680a806d92cd3e88f2cbfabbae54a046f..4147139d3285c76da300e33463411a3b7d35062e 100644
--- a/ee/app/models/saml_provider.rb
+++ b/ee/app/models/saml_provider.rb
@@ -21,6 +21,10 @@ def name_identifier_format
     NAME_IDENTIFIER_FORMAT
   end
 
+  def certificate_fingerprint=(value)
+    super(strip_left_to_right_chars(value))
+  end
+
   def settings
     {
       assertion_consumer_service_url: assertion_consumer_service_url,
@@ -44,4 +48,8 @@ def set_defaults
   def host
     @host ||= Gitlab.config.gitlab.url
   end
+
+  def strip_left_to_right_chars(input)
+    input&.gsub(/[\u200E]/, '')
+  end
 end
diff --git a/ee/changelogs/unreleased/jej-strip-lrm-for-adfs.yml b/ee/changelogs/unreleased/jej-strip-lrm-for-adfs.yml
new file mode 100644
index 0000000000000000000000000000000000000000..670f6bf23e2ff1c3e84c36ffbbd1aacdff9c3e68
--- /dev/null
+++ b/ee/changelogs/unreleased/jej-strip-lrm-for-adfs.yml
@@ -0,0 +1,5 @@
+---
+title: Per-Group SAML (for GitLab.com) strips LRM chars from ADFS certificate fingerprints
+merge_request: 5466
+author:
+type: fixed
diff --git a/ee/spec/models/saml_provider_spec.rb b/ee/spec/models/saml_provider_spec.rb
index c8df818561d9c806f4002f0ef220082a9b3db43d..5a21f6a8cb58ee316bfe6c697189f61b2e0afec2 100644
--- a/ee/spec/models/saml_provider_spec.rb
+++ b/ee/spec/models/saml_provider_spec.rb
@@ -29,6 +29,10 @@
       expect(subject).not_to allow_value(invalid_characters).for(:certificate_fingerprint)
     end
 
+    it 'strips left-to-right marks from certificate_fingerprint' do
+      expect(subject).to allow_value("\u200E00 00 30 ED C2 85 E0 1D 6B 5E A3 30 10 A7 9A DD 14 2F 50 04‎").for(:certificate_fingerprint)
+    end
+
     it 'requires group to be top-level' do
       group = create(:group)
       nested_group = create(:group, :nested)