SAML - Want Assertion Signed

I think your interpretation of "Want Assertions Signed" is correct. When that checkbox is checked, it means the Service Provider(SP) expects the Identity Provider(IdP) to digitally sign the assertions within a SAML response. This is a security measure to prevent a third party from tampering with messages between the SP and the IdP. So I would suggest you leave it checked.
 

That said, I don't think that SAML requires you to set up the certificate in your SP. The keystore information should be unnecessary here.  So, what's amiss?
 

It seems to me that, when you check “Want Assertions Signed” in the SP configuration, ColdFusion internally assumes a signing configuration (including keysore information) exists. The administrator’s validation code then expects variables like "Signing Keystore Path" to exist when the edit form is loaded. However, when you saved the SP without filling the keystore fields, those variables were probably never written into the SAML configuration. But the ColdFusion Administrator still assumed they exist, and tried to read them. Hence the error.
 

My conclusion is that what you have observed is a validation bug in the ColdFusion Administrator UI. I would suggest that you report it.
 

Finally, a possible workaround to enable you to edit the SP. The steps are:

1. create a back-up (elsewhere in the file-system) of the file {CF_INSTANCE_NAME}\lib\neo-saml.xml;
2. open the file in an editor, and change the element 

<var name='wantAssertionsSigned'>
    <boolean value='true'/>
</var>

to

<var name='wantAssertionsSigned'>
    <boolean value='false'/>
</var>

       3. save the file and restart the ColdFusion instance;

       4. open the ColdFusion Administrator and see if you can edit the SP.

Squall, I don't claim expertise with cf's saml feature (just passing acquaintance), but I have a couple of thoughts I'll share, as may other folks. if you don't find resolution here, note that there's no guarantee anyone from Adobe will see this or respond. In that case, send email to cfsup@adobe.com.

As for your questions, my understanding is that checking "want assertions signed" means the sp (cf) wants the idp (entra, in your case) to sign each response to you. So when you ask "what does it mean if it's not checked", it means it doesn't do that.

And yes, it's confusing because there are multiple settings,  communications, and roles/responsibilities in a saml exchange.

My read is that the keystore field (in the sp) would be where you would be expected to have stored the client cert to match the server cert of the idp you're wanting to have sign each response (each assertion).

And if the issue is that you can't edit the sp once you check that checkbox (unless you name the keystore), try first to uncheck it. That will run without that signing, which may be sufficient. If not, then get the client cert, create a key store, and point to it when checking that box. 

I could have any or all that wrong. Again, if no one offers more/better info, reach out to Adobe for clarification. Let us know how it goes, whatever you try.

PS Sometimes it helps to look at problems from other than within cf alone. To that point, I'll note that one of the vendors in this space (one login) offers a tool for testing saml communications. As it warns, you may not want to use it for production keys (though they share how they don't store such info): https://www.samltool.com/validate_response.php