To answer the question myself: Having an empty URI means that the whole document must be checked.
https://stackoverflow.com/questions/29843071/xmldsig-do-i-have-to-specify-reference-uri-in-an-enveloped-signature So in this case the client has to adapt the saml2 assertion... -- Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html