This is probably not obvious to most users but if the HTTP POST binding is used to deliver the Response, the enclosed assertions must be signed
This is stated in the following links
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html
For example
New at Section 4.1.4.5, lines 600-601
If the HTTP POST binding is used to deliver the , each assertion MUST be protected by a digital signature. This can be accomplished by signing each individual element or by signing the element.