That's exactly right. Just to elaborate a little, suppose the SAML assertion included:
An attacker could manipulate this by adding an XML comment.
<NameID>test@component<!-- this is a comment -->space.com</NameID>
The addition of the comment doesn't affect the signature verification as the canonicalization removes the comment.
So, now the XML consists of an element with three child nodes – text, comment and text.
Some libraries simply take the first text node (ie test@component)
We concatenate all the text nodes ([email protected]
) by calling the XmlNode.InnerText property.