For browser-based SSO, if you chose to encrypt all or part of an SSO assertion on the
screen, you must identify the certificate that PingFederate can use to do so.You must also select a certificate if your requirements include encrypting an assertion in response to an attribute query on the
screen.For WS-Trust STS, this configuration is also required if you have enabled the Generate Key for SAML Holder of Key Subject Confirmation Method or Encrypt SAML 2.0 Assertion option (or both options) on the screen.
If encryption is not required, the Select XML Encryption Certificate screen is not shown.