drop saml idp metadata xml · parse signing certs + endpoints + history
flags expired validUntil · weak signing key size · duplicate EntityID · HTTP vs HTTPS endpoint mismatch
heuristic screener · metadata layout varies — namespace and extension differences may reduce coverage · not definitive proof