When data encryption is used, attributes pushed from the identity provider application to its local instance of OpenSSO are encrypted as well as attributes sent from the local instance of OpenSSO on the service provider side to the service provider application. Both symmetric and asymmetric data encryption is supported in a Secure Attribute Exchange.
For symmetric encryption, the encryption key is the same shared secret used to sign the data. For asymmetric encryption, the sender will encrypt the encryption key using the receiving party's public key. Upon receipt of the encrypted data, the receiving party will decrypt the encryption key using its private key, and then decrypt the data using the encryption key.