No exception thrown when receiving a message which is missing a SAML assertion signature element.
I have a scenario where I am trying to process a message with message level security including a SAML 2.0 holder-of-key assertion. In the process of testing a negative scenario, I have found that if the Security/Assertion/Issuer/Signature element is not present - metro will continue to process the message as if the security of message is ok. I believe this field is required for message level security.
Here is an example excerpt of a message which I believe should fail with a soap fault, but is processed normally: