Saml Assertion signature verification can be fooled

[jhudsoncedaron]

The signature handling code does not pass the list of signed xml fragments to the signature reader in any way. It can be fooled by a document constructed as follows:

<!-- envelope omitted for brevity -->
<samlp:Assertion>
     <samlp:Assertion>
        <!-- original signature here -->
     <samlp:Assertion>
     <!-- whatever you want -->
</samlp:Assertion>

[RemcovandenBerg]

Some extra info perhaps and mitigations described in a research paper:
https://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2012/08/22/BreakingSAML_3.pdf