I am really confused about where to place SAML assertions - should it go into the wsse Security Header, contained in the
SOAP header? or Should it go into the SOAP body?
If it will be in the SOAP Header, what would the SOAP body contain? would it be empty? Also, can I still encrypt assertions in the header, so that they won't be in cleartext?
If it should be in the SOAP body, well, I don't how to put it there. I am using wss4j.
Can someone PLEASE guide me on this, thanks!