ClassCastException due to validation of SAML assertion signature

Hi,

a customer of our addon reported a bug that is caused by an old version of Xerces used in Fecru.
This Xerces bug was already fixed in 2005 with version 2.8.0: https://issues.apache.org/jira/browse/XERCESJ-1106.
The currently supported versions of Fecru make use of the older Xerces version 2.7.1.

Some background: we are using opensaml3 to handle SAML requests and responses. A common security method in SAML is, that a responses or parts of the response are signed. The signature is sent inline in the XML body of the SAML response. The validation of such a signature by opensaml3 results in a ClassCastException (see attached screenshot).
We were not able to build a workaround that does not require to modify the Fecru instance or to remove functionality by our addon (that possible could have security implications for the customer).

In our tests, we were able to solve this issue by updating the Xerces lib to at least version 2.8.0 in the lib folder of Xerces. But, of course, you will understand that we cannot give any guarantee that this does not affect other parts of Fecru. Also it wouldn't be a good user experience to expect a customer to update a system library to get an addon running.

That means that we are currently not able to provide the expected functionality for many customers in the default setup of our addon.

Could you please advise how we should proceed with the issue?

Best regards,
Oliver