Skip to content

OneLogin's SAML PHP Toolkit v2.10.0
Compare
Choose a tag to compare
@pitbulk pitbulk released this 14 Oct 15:51
· 342 commits to master since this release
v2.10.0
5e94388

This version includes a security patch that contains extra validations that will prevent signature wrapping attacks and other security improvements.

Changelog v.2.10.0:

  • Several security improvements:
    • Conditions element required and unique.
    • AuthnStatement element required and unique.
    • SPNameQualifier must match the SP EntityID
    • Reject saml:Attribute element with same “Name” attribute
    • Reject empty nameID
    • Require Issuer element. (Must match IdP EntityID).
    • Destination value can't be blank (if present must match ACS URL).
    • Check that the EncryptedAssertion element only contains 1 Assertion element.
  • Improve Signature validation process
  • AttributeConsumingService support
  • Support lowercase Urlencoding (ADFS compatibility).
  • #154 getSelfHost no longer returns a port number
  • #156 Use correct host on response destination fallback check
  • #158 NEW Control usage of X-Forwarded-* headers
  • Fix issue with buildRequestSignature. Added RelayState to the SignQuery only if is not null.
  • Add Signature Wrapping prevention Test
  • Improve _decryptAssertion in order to take care of Assertions with problems with namespaces
  • Improve documentation:
Assets 2
Loading