For SAML 2.0 configurations, in addition to using signed assertions to ensure authenticity, you and your partner may also agree to encrypt all or part of an assertion to improve privacy. If so, you can configure these settings on the Encryption Policy screen.
Note:

For WS-Fed connections with SAML 2.0 assertions, you cannot encrypt the entire assertion.

Option Name identifier (SAML_SUBJECT) Other attributes Encrypt the SAML_SUBJECT in SLO messages to the IdP Allow encrypted SAML_SUBJECT in SLO messages from the IdP
None No encryption. No encryption. No encryption. No encryption.
The entire assertion Encryption allowed. Encryption allowed. Encryption allowed as an available option. Encryption allowed as an available option.
SAML_SUBJECT (Name Identifier) Encryption allowed. Encryption allowed as an available option. Encryption allowed as an available option. Encryption allowed as an available option.
One or more attributes Encryption allowed. Encryption allowed as an available option. Encryption allowed as an available option only if you select to allow the entire assertion or the SAML_SUBJECT to be encrypted. Encryption allowed as an available option only if you select to allow the entire assertion or the SAML_SUBJECT to be encrypted.

To enable encryption:

  1. Select the Allow encrypted SAML Assertions and SLO messages option.
  2. Choose whether this IdP partner will encrypt the entire assertion, the SAML_SUBJECT (name identifier), one or more other attributes, or some combination.
  3. If your partner is encrypting the name identifier, indicate whether you will encrypt this attribute in outbound SAML 2.0 SLO messages, allow its encryption for inbound messages, or both.

If you are editing an existing connection, you can reconfigure the XML encryption policy, which may require additional configuration changes in subsequent tasks.