By default we attempt to verify either the SAML response signature or the SAML assertion signature.
The message indicates that the SAML response is signed, but the signature couldn't be verified, and the SAML assertion isn't signed.
Signature checking is controlled by the following flags that are part of the PartnerIdentityProviderConfiguration:
WantAssertionOrResponseSigned - either the SAML assertion or response must be signed (defaults to true)
WantSamlResponseSigned - the SAML response must be signed (defaults to false)
WantAssertionSigned - the SAML assertion must be signed (defaults to false)
For most scenarios, using the default configuration of WantAssertionOrResponseSigned is recommended.
For more information regarding this configuration, please refer to the Configuration Guide
Signing the SAML authn request is unrelated to whether the SAML assertion or response is signed.
The most likely issue is that the wrong certificate is configured for the signature verification.
Please enable SAML trace
and send the generated log file as an email attachment to [email protected]