Node js saml okta configuration

trying to configure my node js server to auth users using saml.
using passport and passport-saml strategy and i dont understand how to validate a response from the IDP at the SP side.
when doing the flow without a cert it still works and im redirecting to Okta’s sign in page.
i think im missing something, can some one please explain to me the proper flow ?