Comment by cmgbhm

It also supports putting keyinfo into the document as well and validates it by default unless you really know to go out of your way to disable it.

Oh look, another signature issue…

When googling for a SAML dependency, if a library doesn’t already have CVEs for this stuff, it’s likely never been tested.