[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] OneTimeUse Clarification
To the extent that it has any meaning at all, it would be relevant to cases where a normally reusable security token in a web service call or similar context was intended to be limited toÂoneÂuse. That's the sort of thing the condition would work for.
ÂNobody's going to deploy server side state just to do replay checks in SAML, so practically speaking, the real limiting factor is the freshness check.
On 11/13/20, 2:12 AM, "Stefan Rasmusson" <rasmusson.stefan@gmail.com> wrote:
>Â Â HiI have seen several discussions on the use and meaning of the OneTimeUse element.
I've really never seen it come up, which is for the best.
>Â Â If this is the case, why does both the SAML security considerations and then OWASP projects documentation on SAML
> recommend using it?
I wasn't aware the former did, and I certainly wouldn't go by anything OWASP says about SAML. That condition plays no role in any defined SAML profiles.
>Â Â If it's not, what are the use cases of allowing an assertion to be replayed?
To the extent that it has any meaning at all, it would be relevant to cases where a normally reusable security token in a web service call or similar context was intended to be limited to one use. That's the sort of thing the condition would work for.
In effect it's a signal that if a profile allowed for reuse, the token should be guarded for replay. SSO does not allow reuse, period, so it has no need for such a condition, it's implied.
>Â Â Lastly, any ideas on implementations generally handle this? As I understand web browser profiles should discard >duplicates even without this, but do most implementations?
From my testing at times, most random implementations do tend to prevent replay at least in some primitive way on a single server. Nobody's going to deploy server side state just to do replay checks in SAML, so practically speaking, the real limiting factor is the freshness check.
-- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]