We maintain a cache of assertion IDs and check for replay attacks. If a SAML assertion is replayed an exception is thrown.
Do you mean the certificate embedded in the XML signature? This certificate is useful for debugging purposes but we don't recommend using it for the actual signature verification. Instead, a separately configured certificate that you can trust should be used.
Regards ComponentSpace Development
|