...
The as-yet-unreleased OpenSAML 2 library requires at least version 1.3.1 of this library, which is officially released, but contains some known bugs that affect some signature verification scenarios. The final release of OpenSAML 2.0 will probably require a newer xml-security version, possibly a 1.4.
– Scott