Although it seems to me that the paper makes only oblique reference to it, in a previous post, Patrick Harding discusses the trust bootstrap question
The fact that you trust the key in the meta-data and will use it to validate signatures of SAML messages is because you have separately established trust in the meta-data file itself. So obviously this begs the question – How do I trust the meta-data file is my partners meta-data file?
The short answer is that the meta-data file itself must be signed and the X.509 certificate used to validate the signature is itself included in the meta-data file. The keys used to trust the meta-data file are separate and in my view will be X.509 certificates issued by publicly trusted Certificate Authorities.
As described, the signature over the metadata would tell a partner contemplating doing federated business only that the metadata file did indeed belong to the provider named as the entityID within (if they could demonstrate possession of the private key associated with the embedded public key, etc).
If a SAML SP were to base its trust decisions for various IDPs solely on such a signature, then it would be blind to the differences between those IDPs. Two different IDPs may both be perfectly legitimate businesses (and so able to get their metadata signed by some CA), but that doesn't make them equally capable - in the sense of the level of identity assurance they can support in the assertions they issue.
More meaningful for the SP would be a model in which the signature over the metadata (or a separate signature, a possibility for SAML hilited by the paper but not really explored) gave the SP an indication of the level(s) of assurance that that IDP was capable of supporting.