In IDP initiated SSO, SAML response from IDP could be prone to replay attacks. Since SP has no awareness about the IDP initiated session till it gets the response, what are the possible ways to protect replay attack?
Asked
Active
Viewed 2,295 times
0
-
probably https://stackoverflow.com/questions/22416706/should-the-same-saml-response-be-accepted-twice-multiple-times is a related thread, but what if ID is changed by man-in-middle? – Shatiz Nov 13 '18 at 19:02
-
looks like there are ways to sign and encrypt the assertions : https://www.samltool.com/generic_sso_res.php . This along with After/Before check could work. – Shatiz Nov 13 '18 at 19:26
1 Answers
4
The SP should keep a list of IDs of accepted assertions, for the lifetime of the assertion to prevent Replay.
And re the ID change - that's not possible with a properly signed assertion/response. Nothing can be altered by a man-in-the-middle. If altering is possible, you have WAY bigger problems than just replay.
Anders Abel
- 67,989
- 17
- 150
- 217
-
In addition: a) Use HTTPs between IdP and SP communication. b) Set a short lifetime for the Assertion (3-5 min). c) Encrypt the assertion. – smartin Nov 14 '18 at 21:33