crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb

Our use of flate.NewReader does not limit the size of the input. The user could pass more than 1 MB of data in the HTTP request to the processing functions, which will be decompressed server-side using the Deflate algorithm. Therefore, after repeating the same request multiple times, it is possible to achieve a reliable crash since the operating system kills the process.