If SAML_SUBJECT is encrypted, either by itself or as part of a whole assertion, then all references to this name identifier in SAML 2.0 single logout (SLO) requests from your site might also be encrypted if the connection uses service provider (SP)-initiated SLO.
You must also choose a certificate if encryption of the name identifier is required for an Attribute Request profile. For more information, see Specifying XML encryption policy (for SAML 2.0).