Hi
I have seen several discussionsÂon the use and meaning of the OneTimeUse element.
My interpretation of the SAML spec is that it is not related to replay protection and does not say anything about if the SP should be able to receiveÂthe same assertion twice but only if this assertion can be used several times internallyÂin the SP. Is this a correct interpretationÂof this element?
If this isÂthe case, why does both the SAML security considerations and then OWASP projects documentation on SAML recommendÂusing it?
If it'sÂnot, what are the use cases of allowing an assertion to be replayed?
Lastly, any ideas on implementations generally handle this? As I understand web browserÂprofiles should discard duplicatesÂeven without this, but do most implementations?