Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Use Assertion IDs to prevent SAML replay attacks

See original GitHub issue

From the https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf,

"The service provider MUST ensure that bearer assertions are not replayed, by maintaining the set of used ID values for the length of time for which the assertion would be considered valid based on the NotOnOrAfter attribute in the ".

Currently, there’s no way to configure and use this form of defense. It would be nice if the library could handle the assertion ID validation too as part of authentication.

Note: By setting the “allow_unsolicited” config to False, it sort of prevents the replay attacks. But it would take out the IdP initiated logins altogether.

Issue Analytics

State:
Created 3 years ago
Comments:14 (8 by maintainers)

Top GitHub Comments

1reaction

basavakanaparthi-alationcommented, Mar 30, 2021

Hey @peppelinux I’m planning to open a PR soon, could you reopen this issue and assign it to me?

1reaction

peppelinuxcommented, Feb 25, 2021

if allow_unsolicited is set to True we have a correct behaviour, standing on how pysaml2 implemented SAML2-core. I agree that djangosaml2 could enforce this aspect, with a local storage with expirable (60mins) entities that woould simply have session_id, but, sincerely, if I don’tfind a motivated contributor to pursue this goal, I would honestly not include this in the roadmap, because I firmly believe that with rare exceptions the allow_unsolicited and IdPInitiated login features shouldn’t be enabled in a production environment.

See Redis TTL and take your time for a PR, when you’ll start ask me to reopen this Issue and stay sure that I’ll review and merge your contribution asap