--- title: Specifying XML encryption policy (for SAML 2.0) description: For SAML 2.0 configurations, in addition to using signed assertions to ensure authenticity, you and your partner can also agree to encrypt all or part of an assertion to improve privacy. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:help_idpprotocolsettingstasklet_selectidpxmlassertionencryptionstate canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_idpprotocolsettingstasklet_selectidpxmlassertionencryptionstate.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: March 22, 2023 section_ids: about-this-task: About this task steps: Steps result: Result --- # Specifying XML encryption policy (for SAML 2.0) For SAML 2.0 configurations, in addition to using signed assertions to ensure authenticity, you and your partner can also agree to encrypt all or part of an assertion to improve privacy. ## About this task You can configure these settings on the **Encryption Policy** tab. | | | | - | ----------------------------------------------------------------------------------------- | | | For WS-Fed connections with SAML 2.0 assertions, you cannot encrypt the entire assertion. | | Option | Name identifier (SAML\_SUBJECT) | Other attributes | Encrypt the SAML\_SUBJECT in SLO messages to the IdP | Allow encrypted SAML\_SUBJECT in SLO messages from the IdP | | ------------------------------- | ------------------------------- | ------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | | None | No encryption. | No encryption. | No encryption. | No encryption. | | The entire assertion | Encryption allowed. | Encryption allowed. | Encryption allowed as an available option. | Encryption allowed as an available option. | | SAML\_SUBJECT (Name Identifier) | Encryption allowed. | Encryption allowed as an available option. | Encryption allowed as an available option. | Encryption allowed as an available option. | | One or more attributes | Encryption allowed. | Encryption allowed as an available option. | Encryption allowed as an available option only if you select to allow the entire assertion or the SAML\_SUBJECT to be encrypted. | Encryption allowed as an available option only if you select to allow the entire assertion or the SAML\_SUBJECT to be encrypted. | | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | To disable the decryption of `EncryptedID` elements when enclosed in a SAML attribute, set the `DecryptEncryptedIdInAttribute` property to `false` in the `/pingfederate/server/default/data/config-store/org.sourceid.saml20.profiles.sp.HandleAuthnResponse.xml` file. | To enable encryption: ## Steps 1. Click the **Allow encrypted SAML Assertions and SLO messages** option. 2. Choose whether this identity provider (IdP) partner will encrypt the entire assertion, the `SAML_SUBJECT` name identifier, one or more other attributes, or some combination. 3. If your partner is encrypting the name identifier, indicate whether you will encrypt this attribute in outbound SAML 2.0 single logout (SLO) messages, allow its encryption for inbound messages, or both. ## Result If you are editing an existing connection, you can reconfigure the XML encryption policy, which might require additional configuration changes in subsequent tasks.