It was discovered that in SimpleSAMLphp, an implementation of the SAML 2.0 protocol, it was possible to circumvent XML signature verification on SAML messages.