This version includes a security patch that contains extra validations that will prevent signature wrapping attacks and other security improvements.
Changelog v.2.10.0:
- Several security improvements:
- Conditions element required and unique.
- AuthnStatement element required and unique.
- SPNameQualifier must match the SP EntityID
- Reject saml:Attribute element with same “Name” attribute
- Reject empty nameID
- Require Issuer element. (Must match IdP EntityID).
- Destination value can't be blank (if present must match ACS URL).
- Check that the EncryptedAssertion element only contains 1 Assertion element.
- Improve Signature validation process
- AttributeConsumingService support
- Support lowercase Urlencoding (ADFS compatibility).
- #154 getSelfHost no longer returns a port number
- #156 Use correct host on response destination fallback check
- #158 NEW Control usage of X-Forwarded-* headers
- Fix issue with buildRequestSignature. Added RelayState to the SignQuery only if is not null.
- Add Signature Wrapping prevention Test
- Improve _decryptAssertion in order to take care of Assertions with problems with namespaces
- Improve documentation: