How are replay attacks being prevented?

[kyale]

As described in Profiles for the OASIS SecurityAssertion Markup Language (SAML) V2.0 (https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) chapter 4.1.4.5 a service provider MUST prevent replay attacks by keeping a cache for a processed assertion during the time that an assertion is not expired.

I know that OpenSAML supports preventing replay attacks by offering a security policy and cache implementation against replays, but I cannot find the usage of those implementations anywhere in Spring SAML. I expect WebSSOProfileConsumer to provide such a functionality. Can anyone point me in the right direction on where (if at all) this behavior can be found?

[jzheaux]

Thanks for reaching out, @kyale.

Spring Security SAML doesn't support this. Off the top of my head, I'm not sure where the support lives in OpenSAML 1.x.

Because this project is in maintenance mode, you might consider asking for this feature to be added to Spring Security proper, where new SAML functionality is going.

In general, this feels like this is a question that would be better suited to Stack Overflow. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it).

[kyale]

Thanks for the reply @jzheaux. I asked this question on Stack Overflow as well (https://stackoverflow.com/questions/62204127/spring-security-saml-replay-attack-prevention). I created an issue here in order to be able to contribute to the project by adding this functionality if this issue was deemed to be worthy of a change.

[jzheaux]

Awesome, @kyale, and thanks for the link.