Configuring XML encryption policy (SAML 2.0)

For SAML 2.0 configurations, in addition to using signed assertions to ensure authenticity, you and your partner can also agree to encrypt all or part of an assertion to improve privacy. If so, you can configure these settings on the Encryption Policy tab.

Before you begin

For prerequisites and initial steps for configuring Browser SSO protocols, see Configuring protocol settings.

About this task

For WS-Fed connections with SAML 2.0 assertions, you cannot encrypt the entire assertion.

Option	Name identifier (SAML_SUBJECT)	Other attributes	Encrypt the SAML_SUBJECT in SLO messages to the SP	Allow encryption in SLO messages from the SP
None	No encryption.	No encryption.	No encryption.	No encryption.
The entire assertion	Encrypted.	Encrypted.	Available as an option.	Available as an option.
One or more attributes	Available as an option.	Available as an option.	Available as an option only if you select to encrypt the name identifier (SAML_SUBJECT).	Available as an option only if you select to encrypt the name identifier (SAML_SUBJECT).

Option

Name identifier (SAML_SUBJECT)

Other attributes

Encrypt the SAML_SUBJECT in SLO messages to the SP

Allow encryption in SLO messages from the SP

None

No encryption.

The entire assertion

Encrypted.

Available as an option.

One or more attributes

Available as an option.

Available as an option only if you select to encrypt the name identifier (SAML_SUBJECT).

Steps

Select the options based on your partner agreement.
Click Next to save changes.

Result

If you are editing an existing connection, you can reconfigure the XML encryption policy, which might require additional configuration changes in subsequent tasks.

PingFederate Server

Configuring XML encryption policy (SAML 2.0)

Before you begin

About this task

Steps

Result