|
|
|
Reusing an assertion beyond its validity results in authentication decisions based on out-of-date identity information. To prevent reuse, Federation Manager can generate an assertion intended for one-time use, in compliance with the SAML 1.x and 2.0 specifications. The assertion contains elements that tell the relying party not to retain the assertion for future transactions, preventing problems associated with reusing an assertion.
If Federation Manager is acting as the asserting party (Producer/IdP), you can configure the one time use of an assertion. For a SAML 1.x producer, you can select the Set DoNotCache Condition setting. For a SAML 2.0 IdP, you can select the Set OneTimeUse Condition setting. Both of these configuration settings enable Federation Manager to insert the proper elements in an assertion that indicate the one-time use condition.
Note: Do not confuse the one time use of an assertion with the single use policy for SAML 1.x and 2.0 HTTP-POST single sign-on. Federation Manager uses the single use policy when acting as the relying party, and it is only for POST transactions. The one time use feature is for HTTP-Artifact and HTTP-POST.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |