4* Add setSchemasPath to Auth class and fix backward compatibility
7* Support rejecting unsolicited SAMLResponses.
8* Support stric destination matching.
9* Reject SAMLResponse if requestID was provided to the validotr but the InResponseTo attributeof the SAMLResponse is missing
10* Check destination against the getSelfURLNoQuery as well on LogoutRequest and LogoutResponse as we do on Response
11* Improve getSelfRoutedURLNoQuery method
12* Only add responseUrl to the settings if ResponseLocation present in the IdPMetadataParser
13* Remove use of $_GET on static method validateBinarySign
14* Fix error message when Assertion and NameId are both encrypted (not supported)
17* Update xmlseclibs to 3.0.4
18* Remove Comparison atribute from RequestedAuthnContext when setting has empty value
21* Set true as the default value for strict setting
22* Support 'x509cert' and 'privateKey' on signMetadata security settings
23* Relax comparision of false on SignMetadata
24* Fix CI
27* Support SLO ResponseLocation
28* [#344](https://github.com/onelogin/php-saml/issues/344) Raise errors on IdPMetadataParser::parseRemoteXML and IdPMetadataParser::parseFileXML
29* Adjusted acs endpoint to extract NameQualifier and SPNameQualifier from SAMLResponse. Adjusted single logout service to provide NameQualifier and SPNameQualifier to logout method. Add getNameIdNameQualifier to Auth and SamlResponse. Extend logout method from Auth and LogoutRequest constructor to support SPNameQualifier parameter. Align LogoutRequest constructor with SAML specs
30* Add support for Subjects on AuthNRequests by the new parameter
31* Set strict=true on config examples
34* Security improvement suggested by Nils Engelbertz to prevent DDOS by expansion of internally defined entities (XEE)
35* Fix bug on settings_example.php
38* Add  parameter to the decryptElement method to make optional the formatting
39* [#283](https://github.com/onelogin/php-saml/pull/283) New method of importing a decrypted assertion into the XML document to replace the EncryptedAssertion. Fix signature issues on Signed Encrypted Assertions with default namespace
40* Allow the getSPMetadata() method to always include the encryption Key Descriptor
41* Change some Fatal Error to Exceptions
42* [#265](https://github.com/onelogin/php-saml/issues/265) Support parameters at getSPMetadata method
43* Avoid calling static method using this
46* Update xmlseclibs with some fixes.
47* Add extra protection verifying the Signature algorithm used on SignedInfo element, not only rely on the xmlseclibs verify / verifySignature methods.
48* Add getAttributesWithFriendlyName method which returns the set of SAML attributes indexed by FriendlyName
49* Fix bug on parseRemoteXML and parseFileXML. Internal calls to parseXML missed the desiredNameIdFormat parameter
52* Improve Time management. Use DateTime/DateTimeZone classes.
53* Escape error messages in debug mode
54* Improve phpdoc
55* Add an extra filter to the url to be used on redirection
57* [#242](https://github.com/onelogin/php-saml/pull/242) Document that SHA-1 must not be used
58* [#250](https://github.com/onelogin/php-saml/pull/250) Fixed issue with IdPMetadataParser only keeping 1 certificate when multiple certificates of a single type were provided.
59* [#263](https://github.com/onelogin/php-saml/issues/263) Fix incompatibility with ADFS on SLO. When on php saml settings NameID Format is set as unspecified but the SAMLResponse has no NameID Format, no NameID Format should be specified on LogoutRequest.
62* [#236](https://github.com/onelogin/php-saml/pull/236) Exclude unnecesary files from Composer production downloads
63* [#226](https://github.com/onelogin/php-saml/pull/226) Add possibility to handle nameId NameQualifier attribute in SLO Request
64* Improve logout documentation on Readme.
65* Improve multi-certificate support
68* Fix IdPMetadataParser. The SingleLogoutService retrieved method was wrong
69* [#201](https://github.com/onelogin/php-saml/issues/201) Fix issues with SP entity_id, acs url and sls url that contains &
72* [#206](https://github.com/onelogin/php-saml/pull/206)Be able to register future SP x509cert on the settings and publish it on SP metadata
73* [#206](https://github.com/onelogin/php-saml/pull/206) Be able to register more than 1 Identity Provider x509cert, linked with an specific use (signing or encryption)
74* [#206](https://github.com/onelogin/php-saml/pull/206) Support the ability to parse IdP XML metadata (remote url or file) and be able to inject the data obtained on the settings.
77* Be able to get at the auth object the last processed ID
78* Improve NameID Format support
79* Reset errorReason attribute of the auth object after each Process method
80* Validate serial number as string to work around libxml2 limitation
81* Make the Issuer on the Response Optional
84* [+](https://github.com/onelogin/php-saml/commit/949359f5cad5e1d085c4e5447d9aa8f49a6e82a1) Security update for signature validation on LogoutRequest/LogoutResponse
85* [#192](https://github.com/onelogin/php-saml/pull/192) Added ability to configure DigestAlgorithm in settings
86* [#183](https://github.com/onelogin/php-saml/pull/183) Fix strpos bug when decrypting assertions
87* [#186](https://github.com/onelogin/php-saml/pull/186) Improve info on entityId validation Exception
88* [#188](https://github.com/onelogin/php-saml/pull/188) Fixed issue with undefined constant of UNEXPECTED_SIGNED_ELEMENT
89* Read ACS binding on AuthNRequest builder from settings
90* Be able to relax Destination validation on SAMLResponses and let this
91  attribute to be empty with the 'relaxDestinationValidation' setting
94* Implement a more specific exception class for handling some validation errors
95* Minor changes on time validation/exceptions
96* Add hooks to retrieve last-sent and last-received requests and responses
97* Improve/Fix tests
98* Add DigestAlgorithm support on addSign
99* [#177](https://github.com/onelogin/php-saml/pull/177) Add error message for bad OneLogin_Saml2_Settings argument
102* [#175](https://github.com/onelogin/php-saml/pull/175) Allow overriding of host, port, protocol and url path for URL building
103* [#173](https://github.com/onelogin/php-saml/pull/173) Provide better support to NameIdFormat
104* Fix another issue on Assertion Signature validation when the assertion contains no namespace, container has saml2 namespace and it was encrypted
107* Fix error message on SignMetadata process
108* Fix issue on Assertion Signature validation when the assertion contains no namespace and it was encrypted
111* Several security improvements:
112  * Conditions element required and unique.
113  * AuthnStatement element required and unique.
114  * SPNameQualifier must math the SP EntityID
115  * Reject saml:Attribute element with same “Name” attribute
116  * Reject empty nameID
117  * Require Issuer element. (Must match IdP EntityID).
118  * Destination value can't be blank (if present must match ACS URL).
119  * Check that the EncryptedAssertion element only contains 1 Assertion element.
120* Improve Signature validation process
121* AttributeConsumingService support
122* Support lowercase Urlencoding (ADFS compatibility).
123* [#154](https://github.com/onelogin/php-saml/pull/154) getSelfHost no longer returns a port number
124* [#156](https://github.com/onelogin/php-saml/pull/156) Use correct host on response destination fallback check
125* [#158](https://github.com/onelogin/php-saml/pull/158) NEW Control usage of X-Forwarded-* headers
126* Fix issue with buildRequestSignature. Added RelayState to the SignQuery only if is not null.
127* Add Signature Wrapping prevention Test
128* Improve _decryptAssertion in order to take care of Assertions with problems with namespaces
129* Improve documentation
133* [134](https://github.com/onelogin/php-saml/pull/134) PHP7 production settings compiles out assert(), throw an exception explicitly
134* [132](https://github.com/onelogin/php-saml/pull/132) Add note for "wantAssertionsEncrypted"
135* Update copyright on LICENSE
139* Change the decrypt assertion process.
140* Add 2 extra validations to prevent Signature wrapping attacks.
141* Remove reference to wrong NameIDFormat: urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified should be urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
142* [128](https://github.com/onelogin/php-saml/pull/128) Test php7 and upgrade phpunit
143* Update Readme with more descriptive requestedAuthnContext description and Security Guidelines
147* Make NameIDPolicy of AuthNRequest optional
148* Make nameID requirement on SAMLResponse optional
149* Fix empty URI support
150* Symmetric encryption key support
151* Add more Auth Context options to the constant class
152* Fix DSA_SHA1 constant on xmlseclibs
153* Set none requestedAuthnContext as default behaviour
154* Update xmlseclibs lib
155* Improve formatPrivateKey method
156* Fix bug when signing metadata, the SignatureMethod was not provided
157* Fix getter for lastRequestID parameter in OneLogin_Saml2_Auth class
158* Add $wantEncrypted parameter on addX509KeyDescriptors method that will allow to set KeyDescriptor[use='encryption'] if wantNameIdEncrypted or wantAssertionsEncrypted enabled
159* Add $stay parameter on redirectTo method. (login/logout supports $stay but I forgot add this on previous 2.7.0 version)
160* Improve code style
164* Trim acs, slo and issuer urls.
165* Fix PHP 7 error (used continue outside a loop/switch).
166* Fix bug on organization element of the SP metadata builder.
167* Fix typos on documentation. Fix ALOWED Misspell.
168* Be able to extract RequestID. Add RequestID validation on demo1.
169* Add $stay parameter to login, logout and processSLO method.
173* Fix bug on cacheDuration of the Metadata XML generated.
174* Make SPNameQualifier optional on the generateNameId method. Avoid the use of SPNameQualifier when generating the NameID on the LogoutRequest builder.
175* Allows the authn comparsion attribute to be set via config.
176* Retrieve Session Timeout after processResponse with getSessionExpiration().
177* Improve readme readability.
178* Allow single log out to work for applications not leveraging php session_start. Added a callback parameter in order to close the session at processSLO.
182* Set NAMEID_UNSPECIFIED as default NameIDFormat to prevent conflicts with IdPs that don't support NAMEID_PERSISTENT.
183* Now the SP is able to select the algorithm to be used on signatures (DSA_SHA1, RSA_SHA1, RSA_SHA256, RSA_SHA384, RSA_SHA512).
184* Change visibility of _decryptAssertion to protected.
185* Update xmlseclibs library.
186* Handle valid but uncommon dsig block with no URI in the reference.
187* login, logout and processSLO now return ->redirectTo instead of just call it.
188* Split the setting check methods. Now 1 method for IdP settings and other for SP settings.
189* Let the setting object to avoid the IdP setting check. required if we want to publish SP SAML Metadata when the IdP data is still not provided.
193* Do accesible the ID of the object Logout Request (id attribute).
194* Add note about the fact that PHP 5.3 is unssuported.
195* Add fingerprint algorithm support.
196* Add dependences to composer.
200* Fix wrong element order in generated metadata.
201* Added SLO with nameID and SessionIndex in demo1.
202* Improve isHTTPS method in order to support HTTP_X_FORWARDED_PORT.
203* Set optional the XMLvalidation (enable/disable it with wantXMLValidation security setting).
207* Resolve namespace problem. Some IdPs uses saml2p:Response and saml2:Assertion instead of samlp:Response saml:Assertion.
208* Improve test and documentation.
209* Improve ADFS compatibility.
210* Remove unnecessary XSDs files.
211* Make available the reason for the saml message invalidation.
212* Adding ability to set idp cert once the Setting object initialized.
213* Fix status info issue.
214* Reject SAML Response if not signed and strict = false.
215* Support NameId and SessionIndex in LogoutRequest.
216* Add ForceAuh and IsPassive support.
220* Fix bug with Encrypted nameID on LogoutRequest.
221* Fixed usability bug. SP will inform about AuthFail status after process a Response.
222* Added SessionIndex support on LogoutRequest, and know is accesible from the Auth class.
223* LogoutRequest and LogoutResponse classes now accept non deflated xml.
224* Improved the XML metadata/ Decrypted Assertion output. (prettyprint).
225* Fix bug in formatPrivateKey method, the key could be not RSA.
226* Explicit warning message for signed element problem.
227* Decrypt method improved.
228* Support more algorithm at the SigAlg in the Signed LogoutRequests and LogoutResponses
229* AuthNRequest now stores ID (it can be retrieved later).
230* Fixed a typo on the 'NameIdPolicy' attribute that appeared at the README and settings_example file.
236* The isValid method of the Logout Request is now non-static. (affects processSLO method of Auth.php).
237* Logout Request constructor now accepts encoded logout requests.
238* Now after validate a message, if fails a method getError of the object will return the cause.
239* Fix typos.
240* Added extra parameters option to login and logout methods.
241* Improve Test (new test, use the new getError method for testing).
242* Bugfix namespace problem when getting Attributes.
248* New PHP SAML Toolkit (SLO, Sign, Encryptation).
254* Old PHP SAML Toolkit.