Clarify documentation about SAML request signature

doc/sources/admin/idpsaml.rst

@@ -154,11 +154,13 @@ Signature
 These options override service signature options (see
 :ref:`SAML service configuration<samlservice-general-options>`).
 
--  **Signature method**: signature method for messages sent to this service
--  **Sign SSO message**: sign SSO message
--  **Check SSO message signature**: check SSO message signature
--  **Sign SLO message**: sign SLO message
--  **Check SLO message signature**: check SLO message signature
+-  **Signature method**: the algorithm used to sign messages sent to this service
+-  **Sign SSO message**
+-  **Check SSO message signature**: "On" means that LemonLDAP::NG will verify
+   signatures if IDP and SP metadata require it. "Off" will disable signature
+   verification entirely.
+-  **Sign SLO message**
+-  **Check SLO message signature**
 
 Security
 ''''''''

doc/sources/admin/samlservice.rst

@@ -334,13 +334,18 @@ Identity Provider
 General parameters
 ^^^^^^^^^^^^^^^^^^
 
-* **Want Authentication Request Signed**: set to On to require that received authentication request are signed.
-
+* **Want Authentication Request Signed**: By default, LemonLDAP::NG requires all SAML Requests to be signed. Set it to "Off" to let each Service Provider metadata decide if their requests should be verified by LemonLDAP::NG or not.
 
 .. tip::
 
-    This option can then be overridden for each Service
-    Provider.
+    The per-SP "Check SSO message signature" setting allows you to disable
+    signature verification even if this option is set to "On" globally
+
+This option will set the `WantAuthnRequestsSigned` attribute to `true` in LemonLDAP::NG's IDP Metadata.
+
+.. warning::
+
+   This setting requires Lasso 2.6.1 to be effective. Older versions behave as if this setting was set to "Off"
 
 Single Sign On
 ^^^^^^^^^^^^^^