Description
Describe the bug
When setting RelyingPartyRegistrations assertionConsumerServiceBinding to Saml2MessageBinding.REDIRECT we do not consume the "SigAlg" and "Signature" query parameters in the response to validate the SAMLResponse leading to the following error message.
Either the response or one of the assertions is unsigned. Please either sign the response or all of the assertions.
We do set the parameters on the outgoing redirect requests to the IDP as resolved in #7711 so this is basically the flip side of that issue.
To Reproduce
Configure a RelyingPartyRegistrationRepository with assertionConsumerServiceBinding set Saml2MessageBinding.REDIRECT and your IDP set to sign responses but not assertions. In Keycloak I just have the "Sign Documents" option checked but not the "Sign Assertions". If you change the binding to POST everything should work normally with just the document but not assertions signed but on REDIRECT it will fail because the Query Parameter isn't considered.
Expected behavior
Both REDIRECT and POST SAML Response Bindings should work with just the response signed.
Sample
A link to a GitHub repository with a minimal, reproducible sample.
Reports that include a sample will take priority over reports that do not.
At times, we may require a sample, so it is good to try and include a sample up front.