HTTP-Redirect signatures are ignored unless 'redirect.sign' is set

[relaxnow]

At the very least this should trigger a log warning.

[thijskh]

Should it? If we don't require a signature, but someone sends a message with one, why is it a problem to just continue and act if there was none?

[relaxnow]

This issue was created in response to an issue where an SP was misconfigured but we didn't notice until we connected the SP to a different IdP but were puzzling over why suddenly the signature was broken.

I agree that OpenConext is not required to validate the signature (changed this to enhancement).
However if an SP sends a signature anyway this could be indicative of a misconfigured SP or worse an SP that expects request verification because it wants us to redirect to a different ACS or it wants to be used as an SP proxy (like Stepup Gateway) but we simply ignore it.

Somewhere there is a difference between what we expect the SP to send and what it actually sends. While I agree that we shouldn't break on it, ideally you'd inform the SP so it doesn't expect us to do something we don't.