SAML Response assertion only once instead of time window based on IssueInstant
59 views
Skip to first unread message
Naveen Kumar
Sep 1, 2022, 10:10:25 AM9/1/22
to Pac4j users mailing list
Hi,
I would like to check about the feasibility of asserting SAML response only once instead of time duration based in IssueInstant field.
Currently if someone get the SAMLResponse, he can validate that in another window and able to login, can we check like if SAMLResponse is already validated, dont do validation again instead of that window duration.
I would like to check about the feasibility of asserting SAML response only once instead of time duration based in IssueInstant field.
Currently if someone get the SAMLResponse, he can validate that in another window and able to login, can we check like if SAMLResponse is already validated, dont do validation again instead of that window duration.
Jérôme LELEU
Sep 2, 2022, 4:57:21 AM9/2/22
to Naveen Kumar, Pac4j users mailing list
Hi,
You should be protected against replay attacks on SAML responses by default.
Can you debug in the validateAssertionReplay method in the SAML2AuthnResponseValidator class?
Thanks.
Best regards,
Jérôme
--
You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/ab0cf12b-7a2c-475f-a410-acc688342211n%40googlegroups.com.
Naveen Kumar
Sep 2, 2022, 9:01:13 AM9/2/22
to Pac4j users mailing list
Thank u for replying.
I debug this code further but seems like it is not behaving as expected. The debug point is going in this method but it is not validating more than one call, it is behaving based on getNotOnOrAfter value.
Do I need to enable anything at SP side to get it work?
It is always going in entry==null check, even I am submitting the same SAML respone multiple times and able to proceed.
======================== ReplayCache (check) method============
final StorageRecord entry = storage.read(context, key);
if (entry == null) {
log.debug("Value '{}' was not a replay, adding to cache with expiration time {}", s, expires);
storage.create(context, key, "x", expires);
return true;
Thanks & Regards,
Naveen Kumar
I debug this code further but seems like it is not behaving as expected. The debug point is going in this method but it is not validating more than one call, it is behaving based on getNotOnOrAfter value.
Do I need to enable anything at SP side to get it work?
It is always going in entry==null check, even I am submitting the same SAML respone multiple times and able to proceed.
======================== ReplayCache (check) method============
final StorageRecord entry = storage.read(context, key);
if (entry == null) {
log.debug("Value '{}' was not a replay, adding to cache with expiration time {}", s, expires);
storage.create(context, key, "x", expires);
return true;
Thanks & Regards,
Naveen Kumar
Jérôme LELEU
Sep 5, 2022, 11:09:44 AM9/5/22
to Naveen Kumar, Pac4j users mailing list
Hi,
In fact, this was not the right check. Look at the verifyMessageReplay call in the SAML2AuthnResponseValidator class.
I tried to replay a SAML response and get the following error: WARN o.o.s.c.b.s.i.MessageReplaySecurityHandler - Message Handler: Replay detected of message 'id2297052911021946196523457' from issuer 'http://www.okta.com/exk5gxols9EwZuGon0h7'
Thanks.
Best regards,
Jérôme
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/8e2a1c70-b6b7-4024-bf14-8b60f90bb37en%40googlegroups.com.
Naveen Kumar
Sep 5, 2022, 1:25:27 PM9/5/22
to Pac4j users mailing list
Thanks for the response.
I looked into further documentation and found that to achieve this we have to have a single instance of SAML2Client but in our case it was not feasible hence we took another route of override the initSAMLReplayCache method and able to handle this.
As per documentation: pac4j: security for Java
The SAML2Client configures a ReplayCache, which protects against replay attacks. This ReplayCache must keep state between authentications. Therefore a single instance of the SAML2Client must be used. If this is not possible, you can override the initSAMLReplayCache method to create a custom ReplayCacheProvider.
Thanks again for your help on this.
I looked into further documentation and found that to achieve this we have to have a single instance of SAML2Client but in our case it was not feasible hence we took another route of override the initSAMLReplayCache method and able to handle this.
As per documentation: pac4j: security for Java
The SAML2Client configures a ReplayCache, which protects against replay attacks. This ReplayCache must keep state between authentications. Therefore a single instance of the SAML2Client must be used. If this is not possible, you can override the initSAMLReplayCache method to create a custom ReplayCacheProvider.
Thanks again for your help on this.
Reply all
Reply to author
Forward
0 new messages