validate certificate of service provider

[Cantor, Scott]

Nothing in the certificate but the key impacts the processing model standardized at OASIS and used by this software. The only reason it ever matters is when the SP is broken and refuses to run with a certificate that's expired itself. If it's running, then there is nothing you need to do and nothing you should do.
 
> Thats possible because they didn't sign or can't sign their 
> authentication requests and the idp will accept the request also without 
> a signature.

That's not true. It works because the expiration doesn't matter, and that applies to both signing and encryption.

-- Scott