I'm using SSO through Azure using the SustainSys Saml2 library and everything works fine. But I wanted to make sure SustainSys was really doing certificate validation, and if I configure the idP entry with a bogus certificate (the certificate exists, it just has nothing to do with the idP), I'm still able to log in and the SustainSys log shows "Signature validation passed for Saml Response". Shouldn't it be failing?
Did you enable metadata loading? In that case, the correct certificate is loaded through metadata. If you have another certificate configured too that doesn't matter. You create a list of trusted certificates by manual config + metadata loading and as long as one of those certificates can validate the signature the response is accepted.