Scenario:
- Browser(User) requests resource from Service Provider (SP).
- SP Redirects (with SAML Request) to Identity Provider (IdP).
- Since it is first login, User gives the (IdP) his/her valid credentials.
- IdP then redirects Browser (with SAML Response which includes SAML token) to the SP page.
I have two questions:
A. In Step 4, does the Browser store or cache the SAML Response and/or SAML token?
B. If yes, what kind of things (attributes? timeouts? protocols?) prevent me from taking that stored SAML token. Then coping it over to another computer (with a new session) and using that token to Login to the same SP?