A SAML assertion query / request usually doesn’t contain much private data, and the request itself is usually not persisted for use later, so there is little need to encrypt the SAML request itself. Signing it will allow the receiver to verify that the contents have not been altered in transit, and transimitting it via SSL will provide privacy during transmission. Encrypting the request in this situation is probably overkill.

A SAML assertion response, however, is a whole different animal. A SAML response that contains claims or assertions will likely contain private data. Depending on how these assertions are being used in your system, the assertions may be passed around between different parties, some which have the keys required keys to decrypt the content (because they have a trust relationship with the SAML provider) and some which do not. The SAML assertions could be stored in a cache or in a database, so you really don’t know who will be poking through them in the future.

If the SAML response contains claims and assertions that contain private data, and the receiver of the response will be holding onto the SAML assertion for an indefinite period or passing the SAML assertions through intermediate parties you do not trust, then yes, the SAML assertions should be encrypted and the response signed, regardless of whether it is transmitted by SSL or not. Encryption is to protect the privacy of the data after it arrives at the other end of the SSL pipe.