tngan

@meabed Thank you so much for the contribution. We will take this PR as a reference when we start v3 development later on. I would prefer keeping `samlify-js` as a...

@carsonwah @cisacpalma According to the section 4.1.3.5 in specification http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf, `The element(s) in the MUST be signed, if the HTTP POST binding is used` That means the assertion in response...

@oniemela I have checked the test file, the second argument is the key format in string. See if you can try different formats, I wonder forcing to use `private` might...

@dddoronnn Thanks for your contribution. 1) That's good, but see if you could add tests for the changes as well. 2) Is it possible for you to create a different...

@slimm609 Interesting. It seems not possible that `res` get mutated between after-decryption and before-verification. `res`, as a string, is passed into xml schema validation as value. https://github.com/tngan/samlify/blob/5537489b83320e1d99bd116e4bf761c148692d30/src/entity.ts#L251-L266 Where did you...

@slimm609 Any feedback on it ?

@tjunnone You can create a pool of IdPs when your service starts, by getting unique IdP list from your database. Yes, create an ACS URL per idp which is not...

@tjunnone Using issuer as key makes sense, I am open to this feature. In OpenAM, there is something called circle of trust, it's a pool of entities (SPs and IDPs)...

@mashpie @ebrurak There is a fix in PR, I will take a look on it soon. https://github.com/tngan/samlify/pull/380

Yes, we cannot trust the certificate from the SAML document either request or response. We cannot directly apply that certificate without verification, otherwise, it potentially bypasses the actual validation because...