Merge pull request #230419 from rahul-nagraj/saml-signature-verification-clarification

Adding details around saml signature verification

Author: prmerger-automator[bot]

articles/active-directory/manage-apps/howto-enforce-signed-saml-authentication.md

@@ -28,7 +28,14 @@ If enabled Azure Active Directory will validate the requests against the public
 - Key identifier in request is missing and two most recently added certificates don't match with the request signature.  
 - Request signed but algorithm missing.  
 - No certificate matching with provided key identifier.  
-- Signature algorithm not allowed. Only RSA-SHA256 is supported.  
+- Signature algorithm not allowed. Only RSA-SHA256 is supported.
+
+> [!NOTE] 
+> A `Signature` element in `AuthnRequest` elements is optional. If `Require Verification certificates` is not checked, Azure AD does not validate signed authentication requests if a signature is present. Requestor verification is provided for by only responding to registered Assertion Consumer Service URLs.
+
+>  If `Require Verification certificates` is checked, SAML Request Signature Verification will work for SP-initiated(service provider/relying party initiated) authentication requests only. Only the application configured by the service provider will have the access to to the private and public keys for signing the incoming SAML Authentication Reqeusts from the applicaiton. The public key should be uploaded to allow the verification of the request, in which case AAD will have access to only the public key.
+
+> Enabling `Require Verification certificates` will not allow IDP-initiated authentication requests (like SSO testing feature, MyApps or M365 app launcher) to be validated as the IDP would not possess the same private keys as the registered applicaiton.
 
 ## To configure SAML Request Signature Verification in the Azure portal