Current versions don't validate that the SAML assertion conditions for NotOnOrAfter are met. Without checking this parameter, apps are vulnerable to replay attacks where the user can save the SAML assertion and post it back to the app in the future without having to log in.
lmarkus
commented
9 years ago
Current versions don't validate that the SAML assertion conditions for NotOnOrAfter are met. Without checking this parameter, apps are vulnerable to replay attacks where the user can save the SAML assertion and post it back to the app in the future without having to log in.