---
title: Selecting a decryption key (SAML 2.0)
description: To enable inbound encryption in PingFederate, you must select a certificate on the decryption key.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:help_sp_credentialstasklet_selectxmldecryptionkeystate
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_sp_credentialstasklet_selectxmldecryptionkeystate.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: July 5, 2022
section_ids:
  about-this-task: About this task
  steps: Steps
---

# Selecting a decryption key (SAML 2.0)

To enable inbound encryption in PingFederate, you must select a certificate on the decryption key.

## About this task

When you choose to encrypt the name identifier (`SAML_SUBJECT`) on **Protocol Settings > Encryption Policy**, you can also allow the service provider (SP) to encrypt the name identifier in its single logout (SLO) requests, if the SP-initiated single sign-on (SSO) profile is enabled for the connection. To enable this inbound encryption, you must specify at least one certificate on the **Select Decryption Keys** tab.

If decryption is not required, the **Select Decryption Keys** window is not shown.

## Steps

1. Select the primary XML decryption key from the list.

   If you have not created or imported your certificate into PingFederate, click **Manage Certificates**. For more information, see [Manage digital signing certificates and decryption keys](help_certmanagementtasklet_dsigsigningcert_certmanagementstate.html).

2. (Optional) Select the secondary XML decryption key from the list.