diff --git a/go.mod b/go.mod
index f5e5452565eb8b9a475742b0d4b2836fa7c43a41..bb3f4b913a6ed86b3bfe7ca49486e92f3b450863 100644
--- a/go.mod
+++ b/go.mod
@@ -8,7 +8,7 @@ require (
 	git.autistici.org/id/go-sso v0.0.0-20221216110623-a98dfc78fec5
 	git.autistici.org/id/keystore v0.0.0-20221220085250-90031d0af976
 	git.autistici.org/id/usermetadb v0.0.0-20221125171152-3bbb63732147
-	github.com/crewjam/saml v0.4.12
+	github.com/crewjam/saml v0.4.13
 	github.com/duo-labs/webauthn v0.0.0-20220330035159-03696f3d4499
 	github.com/elazarl/go-bindata-assetfs v1.0.1
 	github.com/gorilla/csrf v1.7.1
diff --git a/go.sum b/go.sum
index 36944d1aed83b278eba21447de57545f443d9f5b..3f9d5c853bb22b9f3ac2eb0a6ef5a6160c4f1cd0 100644
--- a/go.sum
+++ b/go.sum
@@ -224,6 +224,8 @@ github.com/crewjam/saml v0.4.10 h1:Rjs6x4s/aQFXiaPjw3uhB4VdxRqoxHXOJrrj4BsMn9o=
 github.com/crewjam/saml v0.4.10/go.mod h1:9Zh6dWPtB3MSzTRt8fIFH60Z351QQ+s7hCU3J/tTlA4=
 github.com/crewjam/saml v0.4.12 h1:66Gsd+9iA/8ZGl8W+7DDTlJGWe3RneBFo+Uu/gvlB0w=
 github.com/crewjam/saml v0.4.12/go.mod h1:igEejV+fihTIlHXYP8zOec3V5A8y3lws5bQBFsTm4gA=
+github.com/crewjam/saml v0.4.13 h1:TYHggH/hwP7eArqiXSJUvtOPNzQDyQ7vwmwEqlFWhMc=
+github.com/crewjam/saml v0.4.13/go.mod h1:igEejV+fihTIlHXYP8zOec3V5A8y3lws5bQBFsTm4gA=
 github.com/daaku/go.zipexe v1.0.0/go.mod h1:z8IiR6TsVLEYKwXAoE/I+8ys/sDkgTzSL0CLnGVd57E=
 github.com/daaku/go.zipexe v1.0.1/go.mod h1:5xWogtqlYnfBXkSB1o9xysukNP9GTvaNkqzUZbt3Bw8=
 github.com/davecgh/go-spew v0.0.0-20161028175848-04cdfd42973b/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
diff --git a/vendor/github.com/crewjam/saml/README.md b/vendor/github.com/crewjam/saml/README.md
index 71f2478689a349bc988b5af5ba0d789f90b3afd6..c0b9805870d58263a2437f38a416c62be91d1d7a 100644
--- a/vendor/github.com/crewjam/saml/README.md
+++ b/vendor/github.com/crewjam/saml/README.md
@@ -58,7 +58,7 @@ import (
 )
 
 func hello(w http.ResponseWriter, r *http.Request) {
-	fmt.Fprintf(w, "Hello, %s!", samlsp.AttributeFromContext(r.Context(), "cn"))
+	fmt.Fprintf(w, "Hello, %s!", samlsp.AttributeFromContext(r.Context(), "displayName"))
 }
 
 func main() {
diff --git a/vendor/github.com/crewjam/saml/flate.go b/vendor/github.com/crewjam/saml/flate.go
new file mode 100644
index 0000000000000000000000000000000000000000..4d14e7805bc050ac0a216b9897301bbed9406ed5
--- /dev/null
+++ b/vendor/github.com/crewjam/saml/flate.go
@@ -0,0 +1,31 @@
+package saml
+
+import (
+	"compress/flate"
+	"fmt"
+	"io"
+)
+
+const flateUncompressLimit = 10 * 1024 * 1024 // 10MB
+
+func newSaferFlateReader(r io.Reader) io.ReadCloser {
+	return &saferFlateReader{r: flate.NewReader(r)}
+}
+
+type saferFlateReader struct {
+	r     io.ReadCloser
+	count int
+}
+
+func (r *saferFlateReader) Read(p []byte) (n int, err error) {
+	if r.count+len(p) > flateUncompressLimit {
+		return 0, fmt.Errorf("flate: uncompress limit exceeded (%d bytes)", flateUncompressLimit)
+	}
+	n, err = r.r.Read(p)
+	r.count += n
+	return n, err
+}
+
+func (r *saferFlateReader) Close() error {
+	return r.r.Close()
+}
diff --git a/vendor/github.com/crewjam/saml/identity_provider.go b/vendor/github.com/crewjam/saml/identity_provider.go
index 4705291696798492cf8b600a8a60cbb17f31521b..bcea5828f56f9912bcda591ef09c197c74a9f768 100644
--- a/vendor/github.com/crewjam/saml/identity_provider.go
+++ b/vendor/github.com/crewjam/saml/identity_provider.go
@@ -2,7 +2,6 @@ package saml
 
 import (
 	"bytes"
-	"compress/flate"
 	"crypto"
 	"crypto/tls"
 	"crypto/x509"
@@ -363,7 +362,7 @@ func NewIdpAuthnRequest(idp *IdentityProvider, r *http.Request) (*IdpAuthnReques
 		if err != nil {
 			return nil, fmt.Errorf("cannot decode request: %s", err)
 		}
-		req.RequestBuffer, err = ioutil.ReadAll(flate.NewReader(bytes.NewReader(compressedRequest)))
+		req.RequestBuffer, err = ioutil.ReadAll(newSaferFlateReader(bytes.NewReader(compressedRequest)))
 		if err != nil {
 			return nil, fmt.Errorf("cannot decompress request: %s", err)
 		}
diff --git a/vendor/github.com/crewjam/saml/service_provider.go b/vendor/github.com/crewjam/saml/service_provider.go
index 3eac33f7534f54a35a30f881cbf91e28677ad4d2..6f6e7f4fc81c85808e919661665f8ae7c804c3c9 100644
--- a/vendor/github.com/crewjam/saml/service_provider.go
+++ b/vendor/github.com/crewjam/saml/service_provider.go
@@ -1524,7 +1524,7 @@ func (sp *ServiceProvider) ValidateLogoutResponseRedirect(queryParameterData str
 	}
 	retErr.Response = string(rawResponseBuf)
 
-	gr, err := ioutil.ReadAll(flate.NewReader(bytes.NewBuffer(rawResponseBuf)))
+	gr, err := ioutil.ReadAll(newSaferFlateReader(bytes.NewBuffer(rawResponseBuf)))
 	if err != nil {
 		retErr.PrivateErr = err
 		return retErr
diff --git a/vendor/modules.txt b/vendor/modules.txt
index c002437269e8065dbe650e406fa490712dae7ff4..4a28708e377c174cd1df2289d5e5ac033e57986b 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -57,7 +57,7 @@ github.com/coreos/go-systemd/v22/daemon
 github.com/coreos/go-systemd/v22/journal
 # github.com/cpuguy83/go-md2man/v2 v2.0.0
 github.com/cpuguy83/go-md2man/v2/md2man
-# github.com/crewjam/saml v0.4.12
+# github.com/crewjam/saml v0.4.13
 ## explicit
 github.com/crewjam/saml
 github.com/crewjam/saml/logger