ComponentSpace

Forums



ComponentSpace:DisableAssertionReplayCheck vs. saml:OneTimeUse


ComponentSpace:DisableAssertionReplayCheck vs. saml:OneTimeUse

Author
Message
ramig
ramig
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Forum Members
Posts: 2, Visits: 10
Hi,
I have a question regarding the replay check.
Iv'e noticed that there is a configuration option for replay check, but also noticed that the SAML Response can indicate OneTimeUse.
Did some tests and it seems that you ignore the SAML Response saml:OneTimeUse indication.

Meaning:
1. When ComponentSpace:DisableAssertionReplayCheck=false, and no saml:OneTimeUse  - Not able to replay
2. When ComponentSpace:DisableAssertionReplayCheck=true, and saml:OneTimeUse  - Replay allowed


Do I miss something?
Can you please elaborate on the relation between the two?

Thanks,
Rami


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The DisableAssertionReplayCheck does as the name implies. It disables the assertion replay check meaning if a SAML assertion is received multiple times, this won't result in an exception indicating a replay.

The OneTimeUse condition indicates the SAML assertion should be used immediately by the service provider and must not be retained for future use. This condition isn't commonly used. We don't check for this condition and implicitly all assertions are treated as one-time-use. This condition is not related to the assertion replay check.

Regards
ComponentSpace Development
ramig
ramig
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Forum Members
Posts: 2, Visits: 10
ComponentSpace - 6/10/2020
The DisableAssertionReplayCheck does as the name implies. It disables the assertion replay check meaning if a SAML assertion is received multiple times, this won't result in an exception indicating a replay.

The OneTimeUse condition indicates the SAML assertion should be used immediately by the service provider and must not be retained for future use. This condition isn't commonly used. We don't check for this condition and implicitly all assertions are treated as one-time-use. This condition is not related to the assertion replay check.

Thanks!
On more question, is there a way to clean the cache of the SAML assertion you hold for Replay check? I need it for tests purposes.

Tnx.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You can grab an instance of the IIDCache interface using dependency injection and call the RemoveAsync method. For example:


using ComponentSpace.Saml2.Cache;

public class Test
{
  private readonly IIDCache _idCache;

  public Test(IIDCache idCache)
  {
   _idCache = idCache;
  }

  public async void ClearCache()
  {
   await idCache.RemoveAsync("assertion ID goes here");
  }
}



This shouldn't be done in production.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 3 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search