Customer is testing a new Legacy Federation configuration in which they are the IDP. The SP is not ready to process signed assertions, so no Signing Alias is specified in the Service Provider object, yet assertions are being signed with one of the certificates that is used for a different configuration.
The Admin UI should not allow the Service Provider object to be saved if Signature Processing is enabled (default) and no Signing Alias is specified. This is because there is no option to not sign the assertion short of disabling Signature Processing (there is a Disable Signature Processing checkbox on the Signing and Encryption property sheet).
Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP
The only way to not sign assertions is to select the 'Disable Signature Processing' checkbox. Whenever this box is not selected, a Signing Alias should always be specified, else the alias used to sign assertions may not be predictable.