Forums, Documentation & Knowledge Base - ComponentSpace

SAML Assertion Replay attacks

By karun - 2/27/2020

Hi, we are using High level SAML API provided by component space for our application and our application is a Service Provider...

When isassertion expiration checked? Is it When RecieveSSO is processing the response from IdP, the assertion expiry check done? 
If it checks, does it depend on SamlSession to verify the assertion timeout. I am asking this to make sure we don't expire or delete saml session.

Also when we extend IIDCache and store the assertionIDs to prevent replay attacks, what is the use of  "expirationDateTime" parameter in ADD method of IIDCache?Thanks,
By ComponentSpace - 9/24/2020

SAML assertions normally have NotBefore/NotOnOrAfter fields that specify the time period for which the SAML assertion is valid. Typically this is just a few minutes. We set the cached SAML assertion ID to timeout at NotOrAfter plus a clock skew value of three minutes. So, if the SAML assertion will expire in two minutes, the cache entry will expire in five minutes. If the SAML assertion doesn't include a NotOnOrAfter field, the default timeout for the cache entry is one hour.

The error you're seeing is most likely because you're replaying a SAML response with an InResponseTo field which is causing a protocol related exception prior to the assertion replay check. Try sending a SAML response that's part of an IdP-initiated SSO (ie no InResponseToField) multiple times.