sources/saml: move SAML Response signature verification before decryption

[ikob]

Details

When a SAML Response is encrypted, signature verification may fail because it is performed after decryption, when the original signed structure has changed.
This PR moves the verification step for signed responses to before decryption to handle encrypted signed responses correctly.
For backward compatibility, the post-decryption check remains as a fallback.

Hopefully close 405 errors at the step 4 of #16627

---

Checklist

• Local tests pass (ak test authentik/)
• The code has been formatted (make lint-fix)

If an API change has been made

• The API schema has been updated (make gen-build)

If changes to the frontend have been made

• The code has been formatted (make web)

If applicable

• The documentation has been updated
• The documentation has been formatted (make docs)

[netlify]

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	5a34eb4
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/69339987a2c63d0008c419ac
😎 Deploy Preview	https://deploy-preview-18176--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for authentik-storybook ready!

Name	Link
🔨 Latest commit	5a34eb4
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-storybook/deploys/6933998722b0030008641a38
😎 Deploy Preview	https://deploy-preview-18176--authentik-storybook.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for authentik-integrations ready!

Name	Link
🔨 Latest commit	5a34eb4
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-integrations/deploys/69339987473fff0008269fdb
😎 Deploy Preview	https://deploy-preview-18176--authentik-integrations.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

❌ Patch coverage is 4.68750% with 61 lines in your changes missing coverage. Please review.
✅ Project coverage is 55.49%. Comparing base (dbbfb3c) to head (5a34eb4).

Files with missing lines	Patch %	Lines
authentik/sources/saml/processors/response.py	2.38%	41 Missing ⚠️
authentik/sources/saml/tests/test_response.py	9.09%	20 Missing ⚠️

❗ There is a different number of reports uploaded between BASE (dbbfb3c) and HEAD (5a34eb4). Click for more details.

HEAD has 23 uploads less than BASE

Flag	BASE (dbbfb3c)	HEAD (5a34eb4)
e2e	8	3
unit	10	2
unit-migrate	10	0

Additional details and impacted files

@@             Coverage Diff             @@
##             main   #18176       +/-   ##
===========================================
- Coverage   93.22%   55.49%   -37.73%     
===========================================
  Files         933      933               
  Lines       51227    51264       +37     
===========================================
- Hits        47754    28450    -19304     
- Misses       3473    22814    +19341     

Flag	Coverage Δ
e2e	39.87% <1.56%> (-4.86%)	⬇️
integration	22.74% <0.00%> (-0.07%)	⬇️
unit	52.77% <4.68%> (-38.66%)	⬇️
unit-migrate	?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[PeshekDotDev]

Can you also add a couple comments just saying "This is the fallback verification", etc?

Really appreciate you getting to this @ikob