OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: OneTimeUse Clarification

I have seen several discussionsÂon the use and meaning of the OneTimeUse element.
My interpretation of the SAML spec is that it is not related to replay protection and does not say anything about if the SP should be able to receiveÂthe same assertion twice but only if this assertion can be used several times internallyÂin the SP. Is this a correct interpretationÂof this element?
If this isÂthe case, why does both the SAML security considerations and then OWASP projects documentation on SAML recommendÂusing it?
If it'sÂnot, what are the use cases of allowing an assertion to be replayed?

Lastly, any ideas on implementations generally handle this? As I understand web browserÂprofiles should discard duplicatesÂeven without this, but do most implementations?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]