Should the same SAML Response be accepted twice, multiple times?

Question

Should a SAML federation software accept the same SAML response as long as it is within the allowed SAML token lifetime?

In simpler terms: IDP (identify provider) issues a SAML response, then SP (service provider) accepts/processes it. Can the same unmodified SAML response be then re-used immediately after the first use? Given that the SAML issuance timestamp is within allowed range.

Security-wise it makes sense to restrict a SAML token (response) to only one use, so that even if it is stolen by a "man-in-the-middle" - it cannot be reused. But in order to implement that, the software needs to store some info about the SAML response somewhere: serial number, a hash of the whole thing?

Please provide some links with the explanations on that is possible and/or examples of implementation.

Thank you! Alex.

Answer 1

The SAML 2.0 norm provides another way to prevent replay attacks that do not imply storing in database the ID of the assertion.

• The SP sends a request with an ID="X" and stores this ID in session.
• The IDP authenticates the user and sends back a Response with an ID="Y" AND a InResponseTo="X" (which is also normally present in the assertion in the SubjectConfirmationData).
• The SP gets the Response and check that all the InResponseTo values match the one in session. If not, the SP rejects the response.
• The SP clears the ID in session, thus making replay of the Response impossible. In the ideal case, the SP should clear the ID in session as soon as it receives the response.

This check really complicates the replay attack, as an attacker will also need to have the session cookie of the SP (and even in this case, it's already game over anyway...). It's also good practice to sign the whole response.

Obviously this method is only valid in a SP-initiated scenario.