sources/SAML: move SAML Response signature verification before decryption

[ikob]

Details

When a SAML Response is encrypted, signature verification may fail because it is performed after decryption, when the original signed structure has changed.
This PR moves the verification step for signed responses to before decryption to handle encrypted signed responses correctly.
For backward compatibility, the post-decryption check remains as a fallback.

Hopefully close 405 errors at the step 4 of #16627

---

Checklist

• Local tests pass (ak test authentik/)
• The code has been formatted (make lint-fix)

If an API change has been made

• The API schema has been updated (make gen-build)

If changes to the frontend have been made

• The code has been formatted (make web)

If applicable

• The documentation has been updated
• The documentation has been formatted (make docs)

[netlify]

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	bd8425c
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/69061afe7821f300086bf938
😎 Deploy Preview	https://deploy-preview-17873--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for authentik-integrations ready!

Name	Link
🔨 Latest commit	bd8425c
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-integrations/deploys/69061afee77a06000816be0d
😎 Deploy Preview	https://deploy-preview-17873--authentik-integrations.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for authentik-storybook canceled.

Name	Link
🔨 Latest commit	bd8425c
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-storybook/deploys/69061afe3e9cd30008bc694a

[codecov]

Codecov Report

❌ Patch coverage is 95.52239% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 92.89%. Comparing base (9763cf3) to head (bd8425c).

Files with missing lines	Patch %	Lines
authentik/sources/saml/processors/response.py	92.85%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #17873      +/-   ##
==========================================
+ Coverage   92.64%   92.89%   +0.25%     
==========================================
  Files         869      869              
  Lines       47960    48000      +40     
==========================================
+ Hits        44431    44591     +160     
+ Misses       3529     3409     -120     

Flag	Coverage Δ
e2e	45.18% <8.95%> (+1.16%)	⬆️
integration	23.11% <0.00%> (-0.08%)	⬇️
unit	91.08% <95.52%> (+<0.01%)	⬆️
unit-migrate	91.13% <95.52%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.