Nested signatures in SAML responses causes only inner to be verified

[timotm]

If SAML response contains more than one signature, e.g. one for the top level and one for an assertion, only the inner signature is currently verified. This sort of undermines the point of validation as outside the assertion, the response could have been altered and it goes unnoticed.

Some example responses with nested signatures can be found in this PDF http://www.valtori.fi/download/noname/%7B1BD49CD9-102D-4DBA-AE89-4E76AACE7C4F%7D/12955

[pdspicer]

They are actually both checked, but failure only occurs NO signatures are validated. Additionally if the outer signature is valid then the inner signature is the one that is not checked (this case just assumes the inheritance of signature correctness). Definitely agree that failure to validate an outer signature (if one is present) should be an error.

[markstos]

I'm merging this into #281, which has more detail.