Metadata verification settings

[jkakavas]

For all of the InMemoryMetadata based classes, the signature checking is made in a rather implicit and not obvious way with the use of https://github.com/rohe/pysaml2/blob/1da840e4dc4b7ea4685dca4f214b87b5d5d17d95/src/saml2/mdstore.py#L634-L651

That basically says that if self.cert is False for any reason, then we don't do verification and assume the deployer didn't want to do any verification. What's more we return True ( implying we checked and verified the signature ).

We should probably make signature checking more of an explicit setting and not deduce that from the absence/presence of an (admittedly related) configuration option. Or at least make sure that it is clearer in the configuration

[peppelinux]

When I made up my setup I had to read the sources to face my problems, this solution is not needed for metadata validation but used to download metadata from a https service with a private CA issuer.

https://github.com/peppelinux/Django-Identity/blob/master/djangosaml2_sp/djangosaml2_sp/djangosaml2_sp/sp_pysaml2_shibidp.py#L25

I found that one of the following must be declared globally to get remote IDP metadata fetch to get to work without any exceptions:

 'disable_ssl_certificate_validation': True,

or, better:

 'ca_certs' : os.path.join(BASE_DIR, 'certificates/shibidp', "testunical.it-cacert.pem"),

[peppelinux]

That's sound very good for documentation enhacement! Isn't it @c00kiemon5ter ? :)