How to prevent replay attack in IDP initiated SSO using SAML2

0
votes

In IDP initiated SSO, SAML response from IDP could be prone to replay attacks. Since SP has no awareness about the IDP initiated session till it gets the response, what are the possible ways to protect replay attack?

1
securitysingle-sign-onsamlsaml-2.0
probably stackoverflow.com/questions/22416706/… is a related thread, but what if ID is changed by man-in-middle? - Shatiz
looks like there are ways to sign and encrypt the assertions : samltool.com/generic_sso_res.php . This along with After/Before check could work. - Shatiz

1 Answers

4
votes

The SP should keep a list of IDs of accepted assertions, for the lifetime of the assertion to prevent Replay.

And re the ID change - that's not possible with a properly signed assertion/response. Nothing can be altered by a man-in-the-middle. If altering is possible, you have WAY bigger problems than just replay.