Are SAML tokens cache/stored anywhere on the browser?

Question

Scenario:

1. Browser(User) requests resource from Service Provider (SP).
2. SP Redirects (with SAML Request) to Identity Provider (IdP).
3. Since it is first login, User gives the (IdP) his/her valid credentials.
4. IdP then redirects Browser (with SAML Response which includes SAML token) to the SP page.

I have two questions:

A. In Step 4, does the Browser store or cache the SAML Response and/or SAML token?

B. If yes, what kind of things (attributes? timeouts? protocols?) prevent me from taking that stored SAML token. Then coping it over to another computer (with a new session) and using that token to Login to the same SP?

Answer 1

The answer is "sort of" re caching. In your scenario, the Response will be sent via POST to the Service Provider from the browser. So the browser can "cache" the POST data that contains the SAML Response. So, just like any other POST event in browsers, if the user were to use the back button enough times after logging into the SP to get back to the POST event, the POST data could be resent to the SP.

There are a few things that help keep the Response from being hijacked -

1. Use of HTTPS between all parties
2. SP enforcement of NotBefore & NotOnOrAfter attributes
3. SP enforcement of one time use criteria (the SP must ensure that Response is not re-used during its validity period. If the message is received outside the validity window, then the SP should discard the message)

Answer 2

The IDP usually stores a session cookie on the client browser identifying the SAML session. The theft of this session cookie is probably no more protected then any other session cookie.

Using HTTPS in communication between SP and IDP will provide a great deal of protection from session hijacking.