Return response' "InResponseTo" field from validation

[Philonous]

This PR adds support for InResponseTo in Response elements

• Adds field inResponseTo to Result type
• Changes the type of the validateResponse function to return it together with the validated assertion
• Should (or rather, MUST) be matched to request IDs, also depending on if unsolicited assertions are allowed.

According to saml-core [1]:

InResponseTo [Optional] A reference to the identifier of the request to which the response corresponds, if any. If the response is not generated in response to a request, or if the ID attribute value of a request cannot be determined (for example, the request is malformed), then this attribute MUST NOT be present. Otherwise, it MUST be present and its value MUST match the value of the corresponding request's ID attribute.

Also compare this stack exchange post [2] which argues that this value should be validated

I don't think this validation has to happen within this library, but it should be returned so that callers of the library can implement it themselves, similar to how checks for duplicate assertionId are left as an exercise to the reader :sweat_smile:

• [1] https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf#page=38
• [2] https://security.stackexchange.com/questions/42354/do-i-have-to-validate-saml2-inresponseto

Checklist

• [x] All definitions are documented with Haddock-style comments.
• [x] All exported definitions have @since annotations.
• [x] The changelog has been updated.

[Philonous]

Fixed the failing tests

[Philonous]

I think I've addressed all the comments in new requests and I've re-based the PR onto master.

[mbg]

@Philonous I made the few last changes, rebased this, and merged it. Thank you for again your work on this! 😄