The way XML digital signatures work is so weird. This routinely comes up year-after-year. When I was working at Okta this also resulted in a number of annoying breaches, including this one: https://developer.okta.com/blog/2018/02/27/a-breakdown-of-th...