In SAML, is there a point for Assertion Level Encryption if we are already communicating via SSL?

Is there a point for implementing Assertion Level Encryption (and Attribute Level Encryption) if we are already communicating via SSL (https)?

Solution

If you're using the browser profile, whereby the SP and IdP exchange messages via the user's browser, SSL alone does not protect against a man-in-the-middle in all cases. Take for example the scenario where a user is on unsecured Wi-Fi and a malicious user intercepts traffic, swapping a self-signed SSL cert for the CA-issued one. If a user clicks through the warning, their transport-level security is negated and confidentiality may be breached. If on the other hand the sensitive parts of the assertion are protected via message level encryption, the man-in-the-middle in the above scenario still cannot read the message despite the user's poor judgement, and confidentiality is ensured.

Math.Sin() gives incorrect value
How to run my python script when the sunOS is start booting
Express-session: not resetting cookie expiration on each request
Getting a stack overflow exception when normalizing a vector
Edit default summary function in R gives error for multiple variables
What was a For loop? Why isn't it needed in R?
How to use download button in shiny and save results in various formats (csv, texte, pdf, spss...)?
Why are there two assignment operators, `<-` and `->` in R?
lm()$assign: what is it?
How to get the value of list(...) in R and S functions
Design matrix for MLM from library(lme4) with fixed and random effects
how to generate elements not included in my sample
Create a matrix with gradually changing values without a for loop
Emacs ESS and S-plus ( S+ ) 8.1 compatability
How to lag date-index in a time-series in R?
Nonlinear regression in R / S
Calling R from S-Plus?