Add to the doc the basic necessity of SAML security
We can add lot of verification between request/response (that the ID match,
that the reponse is qualified toward the SP, etc....), but there will always be
thing we cannot verify inside Lasso, like the IP of the client (if the IdP add
it as a verification means to the AuthnResponse) or if the notBefore, notAfter
attribute are respected (we are not sure of the time at the SP).
We should explicitely mention all those things that the SP could and should
verify aroun SAML exchanges but that are not in the scope of Lasso. It should
eventually be a section of the documentation.