I have been given the impression that it is possible and considered reasonable to sign SAML metadata and include the signature and public key necessary to validate it within the metadata file.
Could an interceptor not remove the signature and public key used to validate it and insert their own signature and public key thereby allowing validation to succeed?
Could an interceptor not remove the signature and public key used to validate it and insert their own signature and public key thereby allowing validation to succeed?
Yes, they could. The metadata has to be initially transmitted using some other secure channel – e.g. regular HTTPS using commercial CA certificates is commonly used to protect against interception.
Usually that's what happens for SaaS stuff: whether you're downloading a SP's metadata or whether you're uploading your IdP's metadata, you're doing that over HTTPS. (So the metadata need not even be signed for the initial exchange.)
Now if an IdP or SP is configured to periodically refresh the metadata document of a known entity, then it would already have the public key from the "old" metadata to validate the new signature against.
Similarly in SAML2 "federations" like eduGAIN, a large metadata bundle (of many IdP/SP entities and their public keys) is served over HTTPS but also signed using a dedicated "eduGAIN metadata feed" keypair, and the fingerprint of that key is exchanged manually over HTTPS. Member IdPs and SPs then periodically fetch the metadata bundle and verify its signature against the dedicated public key.