The assertion content is protected via use of a TLS channel between the IdP and the SP for both the artifact resolution/attribute service port 8443 and the SSO (port 443) endpoints.
We do not list any non-TLS protected endpoints in InCommon metadata, and our IdP does not respond to requests in the clear.
The certificate used by our IdP for signing and encryption of assertion content is listed in InCommon metadata, and we can sign and encrypt assertion content on request.
The InCommon metadata (http://wayf.incommonfederation.org/InCommon/InCommon-metadata.xml) lists the endpoints of our IdP. Additionally, the IdP's relying-party.xml file lists configured endpoints for sets of entityIDs.
Use of OpenSSL to query and verify the certificates used on ports (443, 8443, etc.) of our IdP is possible.