How to ignore the received public encryption certificate

[landron]

Hello,

We have a compatibility problem when switching to gosaml2 (from pysaml2) because we don't keep the public encryption certificate. But gosaml2 will fail when decrypting an EncryptedAssertion that contains this certificate as it tries to validate it against the client provided one (which we don't keep): "The EncryptedKey may or may not include X509Data (certificate)", current line

gosaml2/types/encrypted_key.go

Line 109 in 9517aa5

// The EncryptedKey may or may not include X509Data (certificate).

. It fails even if this certificate isn't used afterwards. Can this validation be ignored in certain cases? Like using ValidateEncryptionCert also in this case maybe ?
The second question is security ... Would ignoring this certificate be a security problem ? The only justification I was able to find for this certificate inclusion is "The reason a public key is specified in the SAML response is because the metadata for an identity provider can specify multiple public keys."

Thank you,