To enable inbound encryption in PingFederate, you must select a certificate on the decryption key.
When you choose to encrypt the name identifier (SAML_SUBJECT) on , you can also allow the service provider (SP) to encrypt the name identifier in its single logout (SLO) requests, if the SP-initiated single sign-on (SSO) profile is enabled for the connection. To enable this inbound encryption, you must specify at least one certificate on the Select Decryption Keys tab.
If decryption is not required, the Select Decryption Keys window is not shown.