v0.11.0

What's Changed

Security

• Reject unsigned SAML LogoutRequest when signature validation is enabled. Previously, ValidateEncodedLogoutRequestPOST silently accepted unsigned requests even when SkipSignatureValidation was false. (GHSA-pcgw-qcv5-h8ch)
• Security hardening: CBC bounds check to prevent panics from crafted ciphertext, replaced panic() calls with error returns, and assertion signatures within a signed Response envelope are now verified when present (previously they were skipped entirely, which could allow XML wrapping attacks)

Other

• Add oss-fuzz integration
• Bump minimum Go version to 1.25
• Update dependencies: goxmldsig v1.6.0, etree v1.6.0, testify v1.11.1
• Bump all GitHub Actions to latest versions

Full Changelog: v0.10.0...v0.11.0

v0.10.0

What's Changed

• Support encryption and signing keys that implement crypto.Signer by @nicksnyder in #131
• Avoid panic when the encrypted data has wrong size for CBC by @fformica in #195
• Security hardening by @ahacker1-securesaml
• Dependency and CI updates

New Contributors

• @nicksnyder made their first contribution in #131
• @fformica made their first contribution in #195

Full Changelog: v0.9.1...v0.10.0

v0.9.1

This release bumps the version of goxmldsig to pull in a security enhancement as well as support for more flexible signing methods to enable use of HSMs for signing.

See russellhaering/goxmldsig#89 for details.

Full Changelog: v0.9.0...v0.9.1

v0.9.0

Fixes a bug which would could allow an attacker to remotely OOM a process using gosaml2 to validate SAML Responses.

Full Changelog: v0.8.1...v0.9.0

v0.8.1

What's Changed

• Fixed a bug where the wrong error would be returned when parsing an encrypted assertion failed (#94)

v0.3.1

• Fix a typo and extraneous println in tests for Go <= 1.6

v0.3.0

• Expose a new DecodeUnverifiedBaseResponse function useful for examining a Response's Destination or Issuer prior to validation

v0.2.0

• Expose AuthnContext from Responses (credit: @pt-arvind)

v0.1.0 (initial tag)

This is the first tagged release of gosaml2 and represents a point-in-time snapshot of the current API.

From this point forward this project will tag semantically versioned releases. Master will track the latest stable release and development will take place in a new develop branch.