In the documentation, it clearly states that signing is "optional":
SAML2 supports the signing and encryption of messages and assertions. Many Identity Providers make one or both mandatory. To enable this feature, you can generate a certificate for your application and provide it in config/services.php as:
However, the code says otherwise, and if no signature is present on an incoming request, an InvalidSignatureException is thrown when no signature is present. So, is the documentation incorrect, or the code?
In the documentation, it clearly states that signing is "optional":
However, the code says otherwise, and if no signature is present on an incoming request, an
InvalidSignatureExceptionis thrown when no signature is present. So, is the documentation incorrect, or the code?