We're running a Policy Server to protect Federated web sites and we'd
like to know the difference between the Signature and Encryption of an
assertion.

What are the differences between both ?

At first glance, both options are complementary. 

On one hand, the signature allows you to insure that a "readable"
assertion will not be modified when the Assertion will go from IdP to
SP or vice versa.

On the other hand, the encryption allows you to make the "readable"
assertion "unreadable".

The following page give some samples to illustrate the difference
between both in an assertion :

In the following 2 samples, the first shows a readable assertion data,
which includes a certificate used to signed the assertion :

  SAML Response with Signed Assertion

  [...]

    <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="pfxcfc63ce0-a942-bf8a-09bb-ea69c0a2b5d1" Version="2.0" IssueInstant="2014-07-17T01:01:48Z">
      <saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
       <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
       <ds:Reference URI="#pfxcfc63ce0-a942-bf8a-09bb-ea69c0a2b5d1"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>0UPc/Vwm1ZHlCAr/ZNlJD5L38Ck=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>FOemut3nr+OHJ4zpzCZSBs08pzSvfvEgL5oNm8sCd+sgpHsWC7MtD60E6UqsL5KtmaKNE3Lq1lPWvp4LvH6/SflIS6PQ1vbFEF7QNboZIosVqY+CpmdlQRPeqUEsASpFYdqFKIaqAkSL/aitT9BY7WYh05nQEh6fDzOkP7DA8yI=</ds:SignatureValue>
       <ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBSMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRcwFQYDVQQDDA5zcC5leGFtcGxlLmNvbTAeFw0xNDA3MTcxNDEyNTZaFw0xNTA3MTcxNDEyNTZaMFIxCzAJBgNVBAYTAnVzMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxPbmVsb2dpbiBJbmMxFzAVBgNVBAMMDnNwLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZx+ON4IUoIWxgukTb1tOiX3bMYzYQiwWPUNMp+Fq82xoNogso2bykZG0yiJm5o8zv/sd6pGouayMgkx/2FSOdc36T0jGbCHuRSbtia0PEzNIRtmViMrt3AeoWBidRXmZsxCNLwgIV6dn2WpuE5Az0bHgpZnQxTKFek0BMKU/d8wIDAQABo1AwTjAdBgNVHQ4EFgQUGHxYqZYyX7cTxKVODVgZwSTdCnwwHwYDVR0jBBgwFoAUGHxYqZYyX7cTxKVODVgZwSTdCnwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQByFOl+hMFICbd3DJfnp2Rgd/dqttsZG/tyhILWvErbio/DEe98mXpowhTkC04ENprOyXi7ZbUqiicF89uAGyt1oqgTUCD1VsLahqIcmrzgumNyTwLGWo17WDAa1/usDhetWAMhgzF/Cnf5ek0nK00m0YZGyc4LzgD0CROMASTWNg==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
       <saml:Subject>
    <saml:NameID SPNameQualifier="http://sp.example.com/demo1/metadata.php" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7</saml:NameID>
    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <saml:SubjectConfirmationData NotOnOrAfter="2024-01-18T06:21:48Z" Recipient="http://sp.example.com/demo1/index.php?acs" InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685"/>
    </saml:SubjectConfirmation>
      </saml:Subject>
      <saml:Conditions NotBefore="2014-07-17T01:01:18Z" NotOnOrAfter="2024-01-18T06:21:48Z">
    <saml:AudienceRestriction>
      <saml:Audience>http://sp.example.com/demo1/metadata.php</saml:Audience>
    </saml:AudienceRestriction>
      </saml:Conditions>

   [...]

The second show unsigned but encrypted assertion. You'll that as the
assertion content is encrypted, we can't read it.

  SAML Response with Encrypted Assertion

   [...]

    <saml:EncryptedAssertion>
      <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><xenc:CipherData><xenc:CipherValue>CZahQI8dV4qIDZjOcuWS2KU+X0QY+gb94EwoRw59CBz+yhj6HZqzYPexjw4TAx6D+teubiQESNydym5R/BjQjvj/tRSZAblHj5iC2UZElcmilxWrb7q2ED+t+cGrdiXuHWo0+yplCs0ehYrCbckboyEF75MYsPTXY1DdQCuABWc=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></dsig:KeyInfo>
     <xenc:CipherData>
    <xenc:CipherValue>Sh0fXQhk1lOUtlGT4otGoNxqFa4juuksQZPDoW6czhFAsUuZ0C2RdqPvNgW+eA/w1FVXWpCSfCCqAI6NCgY9dlO81izyqP5TCLrX73AcY1a+/R3adhmiNduuCXXz0WQDSzNGLED516PnvE7xsgLIy6MmYu5O/tHuuC2yWON0DpAO7Maxufh88wf9GS7FapDMrK5urpo3JhJcj+eSKcZm6dJLGQUx0XqJpE4Ir33IExueKmbXrgqj7WT8te+Ryw9XYJbiq1OnDbdV5dC1pJl/x1UMG+Xx8nlCXPBm//2O19Uq5gr2uDjqd9sKRTjsVct2q1DiLjfR03Z0N1RUombtg1rG1ZPGh6HVxSyaaZtIgdU0hT3LSkAyKrqbmxN0pS/EyzGZtjPHCU8BYBeU/x9wNO/YG9ex60nDUbmNxtJlYxXzJhm87mcrj0pVDFbNg4IQrRSi6Zq6RpAKdoQpvwg50Jw58nyLM16dNWTUkwrQfT/jhZQnvNzPH+VY/OjhWklLhJjkIwOXXOmiihIXlnTw4kuGEH38/BlDmJwwk8QjjyddnXHIHItOENL2EouxSMpSgZj7Ii6Dttb1dUsep0BaJJyuJ4hgo7v085+DYhp0xLMLsqcKgRAuNQ36ZHFpWJYJstbx45Uec/lrlCPattyST5aQRUfP1Zhvu4QUFgQj2WyUMZVhUTJ2b4t/3DHJsipx6xLAfqpBdYlRMVGogGDq9RwfENDzajheUlV1VMdGPDUU6hOunYeXlFQO/jYv4zkPApPYd4fO1qSAEQiC5j5eGiiYiuHtGQjELmSSjBqSgewXqAjU8fk5q4SULI+aVALCKIrCktCxkL425LL9QSc443i2GdHPWd1Bx5uRnoC+r8UEQfJowTWBYbrR9kihOIYA5ZAeLNXDg0XaBOHyOJ+Y1SDD69QZFoHJRHOvwx6dHvSSazo+lRQh2Q9uZIU/Gm5ssNKA+nPr0+xWTtbtoQMlh76x48tOQVP4Vli7KH8w+rIkpk2IYMtB6MpRjxFPXMIaBA2ftCx1ck2ZD4yCMgcekFfMSY4dmVvQ5n/yqZb9oxX8PIJSRQryjeepPNbVmC/ByICY9U03pguOp6P2ZeKqD++7LsddYyZvov3kxtYILzX+bxOPIzApn886HGnUlC8TZmgEW3U2KJnXW7jBL01medKRS+/BvwB1h/RtN6fBL51kBBMeDdIUvEWNQmtBtc1Zh2MMyKA15QK/fZH3uckGgcJyn4NoszHt9KZDIzz0Hvj+U/DtO8jZi13BPdWaMIYlhQdDo1f0eQoY6426aKqVqNVBHk4aiLV11CdAJqpi+s1Q7VVovwAdTChx0kWhY8ceQP6MCSH14fOiXKLHjhGy2vbQEwFDfpGLZBJhUCNK/RzGJyEuBEz6MnfFoTQHdO214nI4oB02ynw4L5PYBpWLKhDyrj643XIqtKScVcsfxWBmGZ/BZ6TbaZ97AR8w/ljejYo8atUw2K9/QkiOo/UL8tvTbhl+JhFPuVKB+xRdD/VLxNk+D1Hsi3mgcYQtiKel+Wd0MJgzKPGbajF8pTLuIozTaPKm5N+rPAR//IrFrRgJGaIr6+nN+7cxFEG2V5Ph2jb12BofwYlwYFkgo8UcGV5+qBR0ah5T3Ef3X36JI8dsDJfItcO6WdBolw3Qh62lUHdx8wFcgwsJvInNcG/eIM4s527bXfNUxP9ggS4/UlFapWIhKkuatOEzwFEuzRwyNkTpkE/PpgkSNcLzRY+cl2yvriLwSg4TzuzVi2m6oAwMMx3Xf0DLS+bQqJwb19PDhVYsXOY9P9YVHx1MUQ//oxiqMU9j1G1hcZ4ZFbyz2eogDy7ZxitR2j/CIiV8H0uT0zFwhRk9/GrxrXXwybLwyq6fBVP6jsSFU8faFmNYE0YYAZxpKNhiyKY5Ofi7piIQCFiW/jYV1yOLe4x4CnTJ4w4P0CnChXU+PcD3sxzPQAUyX7Ra/e5n5u7nFylLBJXW8C+yLzxz4JPQA+N5YiWwZMpurfw/hCBD8wDIzuoiXh98S36I9MPrqesaMPkwSakvrmP0WWkCp04d2X4Fex35POUYSSQUJKIFTzdInmxPM7M+AhZHtXUMpsGNDj0gV4DeJ8IE6R5zd4YnJ1//koGGAlaP7v4Kcy/4rvxaxz35AOFPDLo/pb39Tcs5gnWSQQac1lbCZpPK2v06iZm/yWxDpxvZ3TuZXghsOmIyn3BZXjMOT5vnHU1XoB9rK3PaoBYzatzPkunHo2LfqxXTFercmLuufAyg8f8s2L0iTeUMPDmv+wJrq8kOtevxlyoISf6q/2ANhRgyQ+QbrjaAsZhhyQsHGsAOo6wOyiSAxkS42nkAsAGC+KrvFTdlIwmdMi/PmQM2PUa7vxtC4Sjj24zU1G4lvIq6Bwe8z/iI1avUx8lROTwck+KMX76TI/MFJ//q0T6ZixwZG/zVHQ5fmfVTH7NVU786WalMGwh4jFIbd1D4BuG4WhaKrh8HbEiyF03y7Y7gMo2Ol0DvgF0a52OEpBIeVHPimteS8hwUdXLoAGMsY6cuT9PvGqCiMSf1pDnhPPOOe5YR1tqfmcNcxKLUzq98JnhkZbDwgbtkrMwjSU/6C4ovPXW8N7GzkTVmKF0iP3hTw/80cQ8oq+5XiU0VsxVZRsG1i116QY8dVilgM2Yhy+xE3HH738U48O+/bHpbSlpplJXXktgmxK4JytkoPyEkgBRTskZ37gri1RRXGR6/aTTjDQXCpJFMFVXO7U3Dnmjfn96/KTAxTw5y3dWQA3I8xiUCFYxYVRF9DkDU4Tq1lWmLkFBsGGVesaFT+odDFHIRjfhaUUYVqVWnpLoC4TM2vQ5r5+u1zFDxnJ4o7UV6ctQOpXhxrBoYcx4YgY0M/MukN8NyBHblbF8nh0ZeeSaV49WBOuvX6XaD0jt3+lk=</xenc:CipherValue>
     </xenc:CipherData>
      </xenc:EncryptedData>
    </saml:EncryptedAssertion>

   [...]

  https://www.samltool.com/generic_sso_res.php

These features are available in our product as described in the following :

  SAML Service Provider Encryption and Signing Options
  https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/using/administrative-ui/legacy-federation-reference/saml-2-0-service-provider-reference/saml-service-provider-encryption-and-signing-options.html

Combination of signature and encryption of the assertion will insure
that the data cannot be changed, and that the data won't be readable
when it transit from one site to the other.