The logic is now simpler:
- first lasso_saml20_profile_process_any_response check the signature
on the message
- then lasso_saml20_login_process_response_status_and_assertion
traverse all the assertions:
- if the message is signed all assertion from the same issuer are
automatically accepted,
- if the message is not signed, or the signature validation failed,
or the assertion has a different issuer than the message, we check
the signature directly on the assertion. If any of the assertions
fails the signature check, the result will be
LASSO_PROFILE_ERROR_CANNOT_VERIFY_SIGNATURE.
The public field profile->signature_status will contain only the message
level signature status, each assertion signature status is not
accessible. That will change when signature and key handling is
reworked.