Comment by cmgbhm
It also supports putting keyinfo into the document as well and validates it by default unless you really know to go out of your way to disable it.
Oh look, another signature issue…
https://github.com/advisories/GHSA-2xp3-57p7-qf4v
When googling for a SAML dependency, if a library doesn’t already have CVEs for this stuff, it’s likely never been tested.