OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] IdP initiated SSO and RelayState

Cantor, Scott wrote at 2016-5-26 18:19 +0000:
>> Try not to use IdP initiated SSO: the "normal" relay state provides
>> an effective means against replay attacks (as using the same relay state
>> a second time is automatically detected and will fail). If the IdP
>> (rather than the SP) can provide the relay state, replay attacks
>> must be prevented in another (much more complicated) way.
>No. Replay detection is based on the assertion ID or artifact. RelayState can be freely manipulated by the client, so it's not suitable for that.

The standard recommends to use some unguessable value as "RelayState".

Thus, while the client can freely manipulate the value, it should be
difficult by a third party to guess the correct "RelayState" value
and provide appropriate content in the assertion for the guessed value -
apart from replaying such an assertion - which can easily be prevented
by invalidating a relay state value as soon as a response for it

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]