This version includes a security patch that contains extra validations that will prevent signature wrapping attacks.
Changelog:
- Several security improvements:
- Conditions element required and unique.
- AuthnStatement element required and unique.
- SPNameQualifier must math the SP EntityID
- Reject saml:Attribute element with same “Name” attribute
- Reject empty nameID
- Require Issuer element. (Must match IdP EntityID).
- Destination value can't be blank (if present must match ACS URL).
- Check that the EncryptedAssertion element only contains 1 Assertion element.
- Improve Signature validation process
- Document the wantAssertionsEncrypted parameter
- Support multiple attributeValues on RequestedAttribute
- Fix AttributeConsumingService