SAML 2.0 Documentation should talk about decrypting unsigned SAML 2.0 responses

[jzheaux]

In 5.5, a change was made to disallow decryption unless the SAML 2.0 response is signed. Since this is a breaking change, we should have some documentation that shows how to restore the previous behavior to simplify upgrading to the latest.

[dawi]

@jzheaux I also stumbled over this issue after updating spring security.

I have read the related the tickets and comments, but it's still not completely clear to me.

Did I understand correctly that if I use encrypted assertions, the response needs to be signed?
It is not enough to sign the assertion? Because that is the Azure AD Default, which is now not working anymore.

Azure AD has the following options:

1. Sign SAML assertion (default)
2. Sign SAML response
3. Sign SAML response and assertion