stackoom
  简体   繁体   中英

How to prevent replay attack in IDP initiated SSO using SAML2

 原文  2018-11-13 18:55:18       security/ single-sign-on/ saml/ saml-2.0

Question

In IDP initiated SSO, SAML response from IDP could be prone to replay attacks. Since SP has no awareness about the IDP initiated session till it gets the response, what are the possible ways to protect replay attack?

1 answers

solution1
 3 ACCPTED  2018-11-14 07:38:52

The SP should keep a list of IDs of accepted assertions, for the lifetime of the assertion to prevent Replay.

And re the ID change - that's not possible with a properly signed assertion/response. Nothing can be altered by a man-in-the-middle. If altering is possible, you have WAY bigger problems than just replay.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question SAML2: Does a SP initiated web-SSO szenario requires an IdP in the same domain where the requested SP running Java SAML2 SSO client How to use nonce in a login system using php to avoid replay attack? how to avoid replay attack without using time-stamp Identity server 4 - prevent replay attack using Authorization Code flow+ PKCE with oidc-client How to prevent form replay/man-in-the-middle attack in PHP, csrf, xsrf How can I fully trust a SAML IDP? How to prevent a OAuth attack (see attack scenario)? Preventing request replay attack SSO using SAML with Spring Security for REST service
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM