I have a question regarding the SAML Authentication Request. When an IDP receives a SAML authentiocation request, how can they validate the sender of the request? The issuer name, provider name, AssertionConsumerServiceURL and the signature are all optional. If none of these are in the request, how can the sender of the request be validated?