[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] OneTimeUse Clarification
On 11/13/20, 2:12 AM, "Stefan Rasmusson" <rasmusson.stefan@gmail.com> wrote: > HiI have seen several discussions on the use and meaning of the OneTimeUse element. I've really never seen it come up, which is for the best. > If this is the case, why does both the SAML security considerations and then OWASP projects documentation on SAML > recommend using it? I wasn't aware the former did, and I certainly wouldn't go by anything OWASP says about SAML. That condition plays no role in any defined SAML profiles. > If it's not, what are the use cases of allowing an assertion to be replayed? To the extent that it has any meaning at all, it would be relevant to cases where a normally reusable security token in a web service call or similar context was intended to be limited to one use. That's the sort of thing the condition would work for. In effect it's a signal that if a profile allowed for reuse, the token should be guarded for replay. SSO does not allow reuse, period, so it has no need for such a condition, it's implied. > Lastly, any ideas on implementations generally handle this? As I understand web browser profiles should discard >duplicates even without this, but do most implementations? From my testing at times, most random implementations do tend to prevent replay at least in some primitive way on a single server. Nobody's going to deploy server side state just to do replay checks in SAML, so practically speaking, the real limiting factor is the freshness check. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]