How do I ensure a SAML Assertion's Identity Provider with an embedded X509 Certificate is Legitimate?

Question

I am trying to implement a SAML Service Provider in order to allow for SSO to a cloud-based application, this application can host multiple tenants or companies. Normally,