Some SAML IDP (for example ADFS) signs the SAML assertion instead of SAML response, so it might be useful if SAML broker (SAMLIdentityProvider) offers possibility to validate the signature on SAML assertion. For SAML adapter we support it now ( see KEYCLOAK-2894 ), but it looks we don't support for SAML identity broker as of now.