Bug Fix: SAML Response Initialize Arguments Passed in the Wrong Order

[chris-clifford]

This fixes an issue in the SamlIdp::Controller#encode_authn_response method where arguments where being passed in the wrong order. This issue was introduced in v0.15.0.

In the call to SamlResponse#initialize the value of false for signed_message_opts was, by default, getting passed as the argument for signed_assertion_opts which caused SAML Responses to be generated without a signed assertion.

This wasn't caught in the tests because signed assertions were not checked when validating the SAML response, so a test was added to confirm that the assertion is being signed by default.

This could present a potential security concern, as SAML assertions are typically signed by default. It is expected that SAML Service Providers (SPs) validate these signatures. However, if a user of this gem upgrades to version 0.15.0 and mistakenly assumes that the assertion signature continues to be transmitted, this could lead to a potential security vulnerability.

[Zogoo]

@chris-clifford can you update your branch with the latest master branch? That should fix the test.

[Zogoo]

@jphenow I think we need to release a minor version with this bug fix (current master branch). Could you please take a look at this PR and the latest master branch and release a new minor version?

[jphenow]

v0.16.0 released