---
title: Choosing a decryption key (SAML 2.0)
description: As part of XML encryption, you must identify a certificate and key for PingFederate to use to decrypt incoming assertions or assertion elements.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:help_idp_credentialstasklet_selectxmldecryptionkeystate
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_idp_credentialstasklet_selectxmldecryptionkeystate.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: July 5, 2022
section_ids:
  about-this-task: About this task
  steps: Steps
---

# Choosing a decryption key (SAML 2.0)

As part of XML encryption, you must identify a certificate and key for PingFederate to use to decrypt incoming assertions or assertion elements.

## About this task

For more information on XML encryption, see [Specifying XML encryption policy (for SAML 2.0)](help_idpprotocolsettingstasklet_selectidpxmlassertionencryptionstate.html).

## Steps

1. Select the primary XML decryption key from the list.

   If you have not created or imported your certificate into PingFederate, click **Manage Certificates**. For more information, see [Manage digital signing certificates and decryption keys](help_certmanagementtasklet_dsigsigningcert_certmanagementstate.html).

2. (Optional) Select the secondary XML decryption key from the list.