README file should indicate signature checking is critical (not just a good idea)

[alexstuart]

README.md says "It is a good idea to validate the incoming SAML Responses." It's not just a good idea, it's a critical part of the security of the system. Section 5 of SAML core spec notes that "A SAML protocol request or response message signed by the message originator supports message integrity, authentication of message origin to a destination, and, if the signature is based on the originator's public-private key pair, non-repudiation of origin." By not verifying signatures, you lose a lot of that protection. The README file should indicate that.

[markstos]

Pull request welcome.

[srd90]

Pull request #548 might have resolved this issue also (from security point of view) even though documentation still says that "It is good idea..." at chapter README.md#security-and-signatures (link points to version 3.2.1).

#548 was released at 3.0.0 (release notes) and it made IdP certificate a mandatory configuration option

[markstos]

Closing because making the cert mandatory is even better than documenting that it's a good idea. A patch to further improve the docs is still welcome.