saml-dev message

Subject: RE: [saml-dev] IdP initiated SSO and RelayState

From: "Dieter Maurer" <dieter@handshake.de>
To: "Cantor, Scott" <cantor.2@osu.edu>
Date: Fri, 27 May 2016 09:26:28 +0200

Cantor, Scott wrote at 2016-5-26 18:19 +0000:
>> Try not to use IdP initiated SSO: the "normal" relay state provides
>> an effective means against replay attacks (as using the same relay state
>> a second time is automatically detected and will fail). If the IdP
>> (rather than the SP) can provide the relay state, replay attacks
>> must be prevented in another (much more complicated) way.
>
>No. Replay detection is based on the assertion ID or artifact. RelayState can be freely manipulated by the client, so it's not suitable for that.

The standard recommends to use some unguessable value as "RelayState".

Thus, while the client can freely manipulate the value, it should be
difficult by a third party to guess the correct "RelayState" value
and provide appropriate content in the assertion for the guessed value -
apart from replaying such an assertion - which can easily be prevented
by invalidating a relay state value as soon as a response for it
arrives.

Follow-Ups:
- RE: [saml-dev] IdP initiated SSO and RelayState
  - From: "Cantor, Scott" <cantor.2@osu.edu>

References:
- IdP initiated SSO and RelayState
  - From: Peter Major <peter.major@forgerock.com>
- Re: [saml-dev] IdP initiated SSO and RelayState
  - From: "Dieter Maurer" <dieter@handshake.de>
- RE: [saml-dev] IdP initiated SSO and RelayState
  - From: "Cantor, Scott" <cantor.2@osu.edu>