ComponentSpace

Forums



IIDCache - Default Implementation


IIDCache - Default Implementation

Author
Message
srs
srs
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Forum Members
Posts: 4, Visits: 26
I downloaded the MVC SSO samples from your website, in that i'm not seeing any code for IIDCache implementation, the questions i have are

Question 1 :  Whether implementation of  IIDCache is mandatory ?
Question 2 :  If Q1 is true , by default you have implemented InMemoryIDCache in the MVC sample ?
Question 3 : In Webfarm scenario if DatabaseIDCache is implemented, only identity provider needs access to the SQL server database or Relying party / SP also needs access to SQL server database ?
Question 4: Can you please point me to a diagram depicting Replay attack detection ?

Thank you in advance..
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)

Group: Administrators
Posts: 2K, Visits: 4.8K
1. Implementing the IIDCache is not mandatory.
2. By default we use the InMemoryIDCache. This is perfectly fine in a single server deployment. In a web farm deployment the DatabaseIDCache should be used.
3. The IIDCache is used to detect assertion replay attacks. It's used by the replying party/SP only and is not needed by the claims provider/IdP.
4. The IIDCache keeps track of previously received SAML assertion IDs. Each SAML assertion should have a unique ID. When a SAML assertion is received we check if its ID exists in the IIDCache. If it does then we consider this an error (possibly a replay attack or an accidental resubmission of a previous SAML assertion). 

Regards
ComponentSpace Development
srs
srs
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Forum Members
Posts: 4, Visits: 26
@Admin : Thanks for your reply, Am i right in saying IIDCache implementation is not mandatory in Web farm scenario too, If it is implemented, it will help prevent replay attack.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)ComponentSpace Development (2.9K reputation)

Group: Administrators
Posts: 2K, Visits: 4.8K
The IIDCache is not mandatory but highly recommended when acting as the service provider. To be effective in a web farm deployment the IIDCache should be stored centrally and accessible from all servers in the farm. The DatabaseIDCache stores the IDs in a database and is intended for use within a web farm. However, you can implement your own IIDCache if you have some other centralized storage mechanism. If you don't use an IIDCache then you won't be able to detect assertion replay attacks.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









ComponentSpace Forums


Search