[GOVCMSD10-1227] Update simplesamlphp/simplesamlphp requirement from 2.3.5 to 2.3.7

[dependabot]

Updates the requirements on simplesamlphp/simplesamlphp to permit the latest version.

Release notes

Sourced from simplesamlphp/simplesamlphp's releases.

SimpleSAMLphp 2.3.7

This is a security-release of SimpleSAMLphp. A signature bypass vulnerability was fixed (CVE-2025-27773), which was considered to be a high risk.

Use the link below to download and verify this release. Here you can also download a package with the source code of this release.

Make sure to check the changelog and upgrade notes.

SHA256 checksum slim-release: 7660323c5cba4f00b1b1387b05890c3d1abbcf3a34633dbdc7db9c09f234ee41 SHA256 checksum full-release: ef1ceaff766289a8689c139b77dc64acf48ebc3f07788fd11410144130c67773

Full Changelog: simplesamlphp/simplesamlphp@v2.3.6...v2.3.7

Changelog

Sourced from simplesamlphp/simplesamlphp's changelog.

Version 2.3.7

Released TBD

• Fixed loading translations for themes where there is no explicit X-Domain set in the po file.

Version 2.3.6

Released 2025-02-17

• Fixed PHP 8.4 deprecation notices
• Fixed infinite recursion (#2367)
• Added a new feature flag encryption.optional to allow unencrypted assertions if the SP does not provide an encryption certificate (#2208)
• Make translations tool theme-aware (#2315)
• Fixed build-workflow to only re-build the website once
• Bugfix: Use entityID from state to allow overriding the issuer (#2345)
• When only a single IdP is in scope, skip discovery screen (#2355)
• Fixed "Undefined array key" warning in RequestedAuthnContextSelector if no RAC is present in the request
• SimpleSAMLAuthToken cookie is now removed during an SLO

adfs

• PHP 8.4 support
• The ADFS-module has been disconnected from the SSP release. To continue to use it, the module has to be manually installed.
• The ADFS-module was completely rewritten and now uses our own XML-libraries for building, signing and encrypting XML (v3.0.0)

authcrypt

• PHP 8.4 support

discopower

• simplesamlphp/simplesamlphp-module-discopower#27
• simplesamlphp/simplesamlphp-module-discopower#28

ldap

• Add SASL-support (v2.4.0). Note that this required a newer version of symfony/ldap than the one packaged (v2.4.3)

saml

• Stricter regexp to verify SubjectID/PairwiseID: disallow trailing spaces.
• Feature: Add authproc-filter to be able to manipulate the Assertion's Issuer (#2346)

debugsp

• Added module to allow testing the SP you have in your installation without needing admin login This is similar to the admin/test page but can more easily be used by an IdP who may not have admin privileges on your site.

... (truncated)

Commits

• 1b7a36d Release v2.3.7
• 515f1a2 Bump dependencies
• e2ee52d Fix implicit nullables
• 117cf92 i18n: set the domain for a theme if it is missing (#2392)
• 6b37c47 Start testing on PHP 8.4
• 171a985 Release 2.3.6
• f350935 Fix incorrect use-statement
• 268e99c Add mobile-capable meta-tag
• 0b0f384 Fix use-statement
• 4dc8f5f Update to supress errors for many tests items for now. (#2386)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[drupal-spider]

Reference:

CVE-2025-27773