For browser-based SSO, if you chose to encrypt all or part of an SSO assertion on the Protocol Settings > Encryption Policy screen, you must identify the certificate that PingFederate can use to do so.

You must also select a certificate if your requirements include encrypting an assertion in response to an attribute query on the Attribute Query > Security Policy screen.

For WS-Trust STS, this configuration is also required if you have enabled the Generate Key for SAML Holder of Key Subject Confirmation Method or Encrypt SAML 2.0 Assertion option (or both options) on the WS-Trust > Protocol Settings screen.

If encryption is not required, the Select XML Encryption Certificate screen is not shown.

  1. Optional: Select an option under Block Encryption Algorithm.
    Important:

    Due to the import restrictions of some countries, Oracle Server JRE (Java SE Runtime Environment) 8 has built-in restrictions on available cryptographic strength (key size). To use larger key sizes, the Java Cryptography Extension (JCE) "unlimited strength" jurisdiction policy must be enabled. For more information, see the Java 8 release notes from Oracle (www.oracle.com/technetwork/java/javase/8u151-relnotes-3850493.html).

    For Oracle Java SE Development Kit 11, the JCE jurisdiction policy defaults to unlimited strength. For more information, see the Oracle JDK Migration Guide (docs.oracle.com/en/java/javase/11/migrate/).

    The default selection is AES-128.

    For more information about XML block encryption and key transport algorithms, see XML Encryption Syntax and Processing from W3C (www.w3.org/TR/xmlenc-core/).

  2. Select an option under Key Transport Algorithm.
    Note:

    Due to security risks associated with the RSA-v1.5 algorithm used for key transport, it is no longer available for new connections. Existing connections in which this algorithm is configured continue to support it. However, we recommend upgrading such connections to use the newer algorithm RSA-OAEP.

    The default selection is RSA-OAEP.

  3. Select a partner certificate from the list.

    If you have not yet imported the certificate from your partner, click Manage Certificates to do so (see Managing certificates from partners).