...
In the verification process the following criteria of the XML signature are also considered. However, at the moment they are not considered to be fatal errors. (some items on this list may will be moved to the table above if eduGAIN policy when the eduGAIN SAML Profile v2 makes them mandatory)
The signature was made using an explicit ID reference, not an empty reference.
The signature reference refers to the document element (this helps to avoid "wrapping attacks").
The digest algorithm is at least as strong as SHA-256. Specifically, MD5 and SHA-1 are not permitted as digest algorithms.
The signature method is RSA with an associated digest at least as strong as SHA-256. Specifically, MD5 and SHA-1 are not permitted as digest algorithms.
The signature's transforms contain only permissible values:
Enveloped signature
Exclusive canonicalisation with or without comments
...