saml-dev message

Subject: Re: [saml-dev] OneTimeUse Clarification

From: "Cantor, Scott" <cantor.2@osu.edu>
To: Stefan Rasmusson <rasmusson.stefan@gmail.com>
Date: Mon, 23 Nov 2020 13:51:31 +0000

On 11/21/20, 2:41 PM, "Stefan Rasmusson" <rasmusson.stefan@gmail.com> wrote:

>    Ok, could this for example be in the case of using SAML with web services? And then instead of allowing the sender to
> reuse a token for each request would force the sender to get a newly issued one for each request?

I guess.

>    Interesting. Do you mean that implementations generally do not store the assertion id of received assertion and check
> incoming assertion for replay using this? Instead only relying on the NotAfter attributes?

People rarely cluster replay caches, they're per-node and simply hygiene. The main check is against IssueInstant and against the NotOnOrAfter in the SubjectConfirmation.

-- Scott

Follow-Ups:
- Re: [saml-dev] OneTimeUse Clarification
  - From: Stefan Rasmusson <rasmusson.stefan@gmail.com>

References:
- OneTimeUse Clarification
  - From: Stefan Rasmusson <rasmusson.stefan@gmail.com>
- Re: [saml-dev] OneTimeUse Clarification
  - From: "Cantor, Scott" <cantor.2@osu.edu>
- Re: [saml-dev] OneTimeUse Clarification
  - From: Stefan Rasmusson <rasmusson.stefan@gmail.com>