I'm trying out the SimpleSAMLphp sample app with WSO2 Identity Server as the Identity Provider. I can successfully login and logout. The SAML assertion and the response is signed.
I want to know how to validate the (response and assertion) signature in the client application using SimpleSAMLphp.
When acting as Service Provider (SP), SimpleSAMLphp will always validate response signature by default, so you don't have to do it yourself. This is mandated by 'saml2int', so I guess it conforms to that (in SAML2Core it is only recommended).
You can check relevant SSP code which initiates the check and the signature check itself.
