Hello,
I have a small update in order to close this issue.
The identity provider that produced the invalid signatures have fixed their signatures so that we can verify them using the latest LTS version of OpenSSL. We use Bouncy Castle in some products and it does not catch the invalid signatures either, or at least not the way we use it.
Anyway, this is a satisfactory outcome.
Thank you for the help, everyone!
Regards,
Steffen