sources/saml: move SAML Response signature verification before decryption

[ikob]

Details

When a SAML Response is encrypted, signature verification may fail because it is performed after decryption, when the original signed structure has changed.
This PR moves the verification step for signed responses to before decryption to handle encrypted signed responses correctly.
For backward compatibility, the post-decryption check remains as a fallback.

Hopefully close 405 errors at the step 4 of #16627

---

Checklist

• Local tests pass (ak test authentik/)
• The code has been formatted (make lint-fix)

If an API change has been made

• The API schema has been updated (make gen-build)

If changes to the frontend have been made

• The code has been formatted (make web)

If applicable

• The documentation has been updated
• The documentation has been formatted (make docs)

[netlify]

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	16a290a
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/694e7b725b77c6000840682e
😎 Deploy Preview	https://deploy-preview-18176--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for authentik-storybook ready!

Name	Link
🔨 Latest commit	16a290a
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-storybook/deploys/694e7b72b8a31f00084b4108
😎 Deploy Preview	https://deploy-preview-18176--authentik-storybook.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for authentik-integrations ready!

Name	Link
🔨 Latest commit	16a290a
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-integrations/deploys/694e7b723b91510008fba62c
😎 Deploy Preview	https://deploy-preview-18176--authentik-integrations.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

❌ Patch coverage is 94.52055% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.11%. Comparing base (61e45ca) to head (16a290a).
⚠️ Report is 313 commits behind head on main.

Files with missing lines	Patch %	Lines
authentik/sources/saml/processors/response.py	92.15%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #18176      +/-   ##
==========================================
- Coverage   93.37%   93.11%   -0.27%     
==========================================
  Files         950      950              
  Lines       52229    52271      +42     
==========================================
- Hits        48771    48673      -98     
- Misses       3458     3598     +140     

Flag	Coverage Δ
conformance	38.80% <4.10%> (-0.03%)	⬇️
e2e	43.53% <4.10%> (-1.07%)	⬇️
integration	23.32% <0.00%> (-0.07%)	⬇️
unit	91.60% <94.52%> (+<0.01%)	⬆️
unit-migrate	91.64% <94.52%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[PeshekDotDev]

Can you also add a couple comments just saying "This is the fallback verification", etc?

Really appreciate you getting to this @ikob

[tfc]

Hey @ikob is this here fixing #16627 ? If yes - what can I do to help push this further?

[ikob]

Hey @ikob is this here fixing #16627 ?

Partially yes as as mentioned...

Hopefully close 405 errors at the step 4 of #16627

If yes - what can I do to help push this further?

I am not sure the review/merging priority, but your interests may help including this conversation.

[tfc]

@rissson @PeshekDotDev anything we can do to advance this further?

[hassidan]

any update about that?

[tfc]

Is fixing google login with signed callbacks no priority, or is there anything controversial about this PR?

[PeshekDotDev]

Hey everyone, I have made a different version of this PR that is more in line with our engineering style. I appreciate everyone's patience, and if there are any questions — or especially if there are any other saml source/provider related issues you all have found — please let me know. I am committed to getting our SAML experience as nice as possible

Thank you

Alternate PR — #19593

[ikob]

@PeshekDotDev,
I made a PR to add test cases based on this PR. Take look #19647