Enable the security validation mode while processing signatures. This flag is easily accessible as a boolean parameter to the

org.apache.xml.security.signature.XMLSignature constructor. See https://github.com/apache/santuario-java/blob/53221e7adf19317fb347ee611c9f4b4d035799ec/s
rc/main/java/org/apache/xml/security/signature/XMLSignature.java#L377​ .

Author: pitbulk

core/src/main/java/com/onelogin/saml2/util/Util.java

@@ -879,7 +879,7 @@ public static Boolean validateSignNode(Node signNode, X509Certificate cert, Stri
 			org.apache.xml.security.Init.init();
 
 			Element sigElement = (Element) signNode;
-			XMLSignature signature = new XMLSignature(sigElement, "");
+			XMLSignature signature = new XMLSignature(sigElement, "", true);
 
 			if (cert != null) {
 				res = signature.checkSignatureValue(cert);