Shatiz
Reputation: 817
How to prevent replay attack in IDP initiated SSO using SAML2
In IDP initiated SSO, SAML response from IDP could be prone to replay attacks. Since SP has no awareness about the IDP initiated session till it gets the response, what are the possible ways to protect replay attack?
Upvotes: 0
Views: 2873
Answers (1)
Anders Abel
Reputation: 69250
The SP should keep a list of IDs of accepted assertions, for the lifetime of the assertion to prevent Replay.
And re the ID change - that's not possible with a properly signed assertion/response. Nothing can be altered by a man-in-the-middle. If altering is possible, you have WAY bigger problems than just replay.
Upvotes: 4
Related Questions
- How to recognise formerly SP initiated authentication on subsequent IdP redirects to SP
- SAML2 Token Replay Validation
- sp initiated saml sso authentication
- SSO - SAML request
- How to maintain state parameter in Identity Provider (IdP) initiated SAML sso?
- SSO-SAML Logging into IDP from service provicer
- IdP initiated SSO using Spring SAML
- Connection between SP and IDP in multiple SP SSO scenario
- spring saml - IDP initiated SSO
- SharePoint and SAML: Is there any guard against a replay attacks?