Php Saml Laravel Package

• Update xmlseclibs version requirement to 3.1.5 due CVE-2026-32313
• Force Fix phpunit > 8.5.51 due GHSA-vvj3-c3rp-c85p. Adapt tests to work with that phpunit version
• Drop support PHP < 7.2

• Updates xmlseclibs to 3.1.5 due CVE-2026-32313

The version 2.21.1 was released with the wrong version.json file and missed Changelog. The 2.21.2 version has the same code than 2.21.2 but set right version and update Changelog

• Update xmlseclibs version requirement to 3.1.4 due CVE-2025-66475

Security:

• Update xmlseclibs version requirement to 3.1.4 due CVE-2025-66475

Security:

• Fix xmlseclibs vulnerability CVE-2025-66475

• PHP 8.4 Compatibility via #600 and #607.
• #619 Add Parameter checking on validateBinarySign, inspired on CVE-2025-27773
• #603 Fix typo in ignoreValidUntil that breaks metadata. Add parameter to exclude validUntil on Settings getSPMetadata
• #594 Add support for encrypted name id in encrypted assertion
• Fix buildWithBaseURLPath. See #581
• Doc fix typo
• Remove Travis CI references

• #619 Add Parameter checking on validateBinarySign, inspired on CVE-2025-27773
• #603 Fix typo in ignoreValidUntil that breaks metadata. Add parameter to exclude validUntil on Settings getSPMetadata
• #594 Add support for encrypted name id in encrypted assertion
• Fix buildWithBaseURLPath. See #581
• Doc fix typo
• Remove Travis CI references

• #619 Add Parameter checking on validateBinarySign, inspired on CVE-2025-27773
• #603 Fix typo in ignoreValidUntil that breaks metadata. Add parameter to exclude validUntil on Settings getSPMetadata
• #594 Add support for encrypted name id in encrypted assertion
• Fix buildWithBaseURLPath. See #581
• Doc fix typo
• Remove Travis CI references

• #586 IdPMetadataParser::parseRemoteXML - Add argument for setting whether to validate peer SSL certificate
• #585 Declare conditional return types
• #577 Allow empty NameID value when no strict or wantNameId is false
• #570 Support X509 cert comments
• #569 Add parameter to exclude validUntil on SP Metadata XML
• #551 Fix compatibility with proxies that extends HTTP_X_FORWARDED_HOST
• LogoutRequest and the LogoutResponse object to separate functions
• Make Saml2\Auth can accept a param $spValidationOnly
• Fix typos on readme.
• #480 Fix typo on SPNameQualifier mismatch error message
• Remove unbound version constraints on xmlseclibs
• Update dependencies
• Fix test payloads
• Remove references to OneLogin.

• #586 IdPMetadataParser::parseRemoteXML - Add argument for setting whether to validate peer SSL certificate
• #585 Declare conditional return types
• Make Saml2\Auth can accept a param $spValidationOnly
• #577 Allow empty NameID value when no strict or wantNameId is false
• #570 Support X509 cert comments
• #569 Add parameter to exclude validUntil on SP Metadata XML
• #551 Fix compatibility with proxies that extends HTTP_X_FORWARDED_HOST
• #487 Enable strict check on in_array method
• Make Saml2\Auth can accept a param $spValidationOnly
• Fix typos on readme.
• Add warning about Open Redirect and Reply attacks
• Add warning about the use of IdpMetadataParser class. If Metadata URLs are provided by 3rd parties, the URL inputs MUST be validated to avoid issues like SSRF
• Fix test payloads
• Remove references to OneLogin.

• #586 IdPMetadataParser::parseRemoteXML - Add argument for setting whether to validate peer SSL certificate
• #585 Declare conditional return types
• Make Saml2\Auth can accept a param $spValidationOnly
• #577 Allow empty NameID value when no strict or wantNameId is false
• #570 Support X509 cert comments
• #569 Add parameter to exclude validUntil on SP Metadata XML
• #551 Fix compatibility with proxies that extends HTTP_X_FORWARDED_HOST
• #487 Enable strict check on in_array method
• Fix typos on readme.
• #480 Fix typo on SPNameQualifier mismatch error message
• Add $spValidationOnly param to Auth
• Update xmlseclibs (3.1.2 without AES-GCM and OAEP support)
• Add warning about Open Redirect and Reply attacks
• Add warning about the use of IdpMetadataParser class. If Metadata URLs are provided by 3rd parties, the URL inputs MUST be validated to avoid issues like SSRF
• Update dependencies
• Fix test payloads
• Remove references to OneLogin.

• Add pipe through for the $spValidationOnly setting in the Auth class.

• Add compatibility with PHP 8.1
  • If null param are provided to trim or preg_match, when PHP 8.1 has deprecation errors enabled, php-saml will raise errors.

• Supports PHP 8.X, drop support PHP < 7.3

• #467 Fix bug on getSelfRoutedURLNoQuery method

• #467 Fix bug on getSelfRoutedURLNoQuery method

• Add AES128_GCM encryption on generateNameId method. New setting parameter encryption_algorithm. If you set a encryption method different than AES128_CBC then the algorithm RSA_OAEP_MGF1P will be used as well instead RSA_1_5
• PHP 8.0 support

• #412 Empty instead of unset the $_SESSION variable
• #433 Fix Incorrect Destination in LogoutResponse when using responseUrl #443
• Update xmlseclibs to 3.1.1
• Add support for SMARTCARD_PKI and RSA_TOKEN Auth Contexts
• Get lib path dinamically
• Check for x509Cert of the IdP when loading settings, even if the security index was not provided
• Support Statements with Attribute elements with the same name enabling the allowRepeatAttributeName setting

• 3.5.0 packagist/github release due a confusion were using the master (2.X branch). I'm releasing 3.5.1 to fix this issue and go back to 3.X branch

• #412 Empty instead of unset the $_SESSION variable
• #433 Fix Incorrect Destination in LogoutResponse when using responseUrl #443
• Add support for SMARTCARD_PKI and RSA_TOKEN Auth Contexts
• Support Statements with Attribute elements with the same name enabling the allowRepeatAttributeName setting
• Get lib path dynamically
• Check for x509Cert of the IdP when loading settings, even if the security index was not provided

• Add setSchemasPath to Auth class and fix backward compatibility

• Add setSchemasPath to Auth class and fix backward compatibility

• Support rejecting unsolicited SAMLResponses.
• Support stric destination matching.
• Reject SAMLResponse if requestID was provided to the validotr but the InResponseTo attributeof the SAMLResponse is missing
• Check destination against the getSelfURLNoQuery as well on LogoutRequest and LogoutResponse as we do on Response
• Improve getSelfRoutedURLNoQuery method
• Only add responseUrl to the settings if ResponseLocation present in the IdPMetadataParser
• Remove use of $_GET on static method validateBinarySign
• Fix error message when Assertion and NameId are both encrypted (not supported)

• Support rejecting unsolicited SAMLResponses.
• Support stric destination matching.
• Reject SAMLResponse if requestID was provided to the validotr but the InResponseTo attributeof the SAMLResponse is missing
• Check destination against the getSelfURLNoQuery as well on LogoutRequest and LogoutResponse as we do on Response
• Improve getSelfRoutedURLNoQuery method
• Only add responseUrl to the settings if ResponseLocation present in the IdPMetadataParser
• Remove use of $_GET on static method validateBinarySign
• Fix error message when Assertion and NameId are both encrypted (not supported)

• Update xmlseclibs to 3.0.4 (CVE-2019-3465)
• Remove Comparison atribute from RequestedAuthnContext when setting has empty value

• Update xmlseclibs to 3.0.4 (CVE-2019-3465)
• Remove Comparison atribute from RequestedAuthnContext when setting has empty value

• Set true as the default value for strict setting
• Relax comparison of false on SignMetadata
• Fix CI

• Set true as the default value for strict setting
• Support 'x509cert' and 'privateKey' on signMetadata security settings
• Relax comparison of false on SignMetadata
• Fix CI

• Add missed nameIdValueReq parameter to buildAuthnRequest method