WantAssertionSigned specifies that the SAML assertion must be signed. It defaults to false.
WantSAMLResponseSigned specifies that the SAML response must be signed. It defaults to false.
WantAssertionOrResponseSigned specifies that either the SAML assertion or SAML response must be signed. It defaults to true. This is useful when you’re not sure which is signed but you expect one of them to be signed.
By default, Azure AD signs the SAML assertion and not the SAML response.
My recommendation is to leave the configuration flags at their defaults. WantAssertionOrResponseSigned will check for either a SAML assertion or SAML response signature. If neither is signed or one is signed but the signature fails to verify, an exception is thrown. If either is signed and the signature verifies, no exception is thrown.
Also, double check that the correct partner certificate is configured.
If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com.