pitbulk
commented
1 year ago Sorry for the delayed reply.
To avoid replay attacks, the idea is to register the get_last_message_id // get_last_assertion_id of the validated SAMLResponses during the time you consider the SAMLResponse will fail due to expiration.
Right now the toolkit has 300s https://github.com/SAML-Toolkits/python3-saml/blob/master/src/onelogin/saml2/constants.py#L20
So if you store the ids for 10 min, and you reject automatically the response/assertion already processed, you will be ok
Hello,
I am working on supporting SAML2 in a Django application.
Concerned about security aspects of the protocol, I would like to confirm my understanding of your toolkit before making any mistake. When it comes to replay attacks, what I understand so far is that
get_last_request_id,get_last_message_idandget_last_assertion_idprovides access to the last processed ones.It seems to me that it is not enough. Let me explain. These attacks are not easy to pull off, I know. But what if I have two valid SAML2 flows during a short time frame so that I can replay the first assertion before its expiration ? What I understand, but i may be wrong, is that the
get_last_*_idmethods would provide ids about the second flow. So if the first one is replayed in the good time frame, the ids are not traced anymore and the session is granted.Please forgive me and let me know if I completly misundertood the source code.