Allow the SAML signature alg to be set per-provider
Summary
Currently, there is a global setting that decides the SAML signature algorithm.
In order to handle a smoother migration to stronger algs, we should give users the option to override the global setting with a SP or IDP
Design proposition
Lasso lets us do this with set_server_signing_key
, but only when using a certificate as the public part of the key (see also #2316 (closed) for why this is a good idea anyways)