Just wondering, in SAML SSO, the SP can include its certificates in the SAML request, and the IdP can include its certificates in the SAML response/assertion, so they can verify the signatures of the messages from each other.
My question is why including the certs in the request and response again, since the certs for signing and encryption were already exchanged when both parties obtained SAML metadata from each other?
In many scenarios embedded certificates shouldn't be trusted but they're very useful when debugging signature verification issues. For example, if the partner provider has changed their certificate but this hasn't been communicated previously, it's very easy to see this has occurred by looking at the embedded certificate. Of course, you should then contact the partner provider confirming the new certificate or requesting their updated metadata.
There are some scenarios where an embedded certificate may be trusted (eg the certificate issuer is trusted, the certificate is valid, and the subject name is accepted). However, in my experience, it's much more common to use the embedded certificate for debugging purposes.