---
title: Choosing an encryption certificate (SAML 2.0)
description: If SAML_SUBJECT is encrypted, either by itself or as part of a whole assertion, then all references to this name identifier in SAML 2.0 single logout (SLO) requests from your site might also be encrypted if the connection uses service provider (SP)-initiated SLO.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:help_idp_credentialstasklet_selectxmlencryptioncertstate
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_idp_credentialstasklet_selectxmlencryptioncertstate.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: July 5, 2022
section_ids:
  about-this-task: About this task
  steps: Steps
---

# Choosing an encryption certificate (SAML 2.0)

If `SAML_SUBJECT` is encrypted, either by itself or as part of a whole assertion, then all references to this name identifier in SAML 2.0 single logout (SLO) requests from your site might also be encrypted if the connection uses service provider (SP)-initiated SLO.

## About this task

You must also choose a certificate if encryption of the name identifier is required for an Attribute Request profile. For more information, see [Specifying XML encryption policy (for SAML 2.0)](help_idpprotocolsettingstasklet_selectidpxmlassertionencryptionstate.html).

## Steps

1. (Optional) Select an option under **Block Encryption Algorithm**.

|   |                                                                                                                                                                                                                                              |
| - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | For Oracle Java SE Development Kit 11, the JCE jurisdiction policy defaults to unlimited strength. For more information, see the [Oracle JDK Migration Guide](https://docs.oracle.com/en/java/javase/11/migrate/) in Oracle's documentation. |

\+ The default selection is **AES-128**.

\+ For more information about XML block encryption and key transport algorithms, see [XML Encryption Syntax and Processing from W3C](https://www.w3.org/TR/xmlenc-core/).

1. Select an option under **Key Transport Algorithm**.

   |   |                                                                                                                                                                                                                                                                                               |
   | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | Due to security risks associated with the RSA-v1.5 algorithm used for key transport, it is no longer available for new connections. Existing connections in which this algorithm is configured continue to support it. However, you should upgrade such connections to use a newer algorithm. |

   The default selection is **RSA-OAEP**.

2. Select a partner certificate from the list.

   If you have not imported the certificate from your partner, click **Manage Certificates** to do so. For more information see [Managing certificates from partners](pf_managing_certificates_from_partners.html).