|
|
|
A single use policy prevents SAML 2.0 assertions from being reused at a Service Provider to establish a second session. This feature applies to assertions that arrive by way of the POST binding.
Note: Single use policy feature is enabled by default when you select the HTTP-POST binding.
Designating an assertion for one time use is an additional security measure for authenticating across a single sign-on environment. From a browser, an attacker can acquire a SAML assertion that has been used to establish a SiteMinder session. The attacker can then POST the assertion to the Assertion Consumer Service at the Service Provider to establish a second session. However, if the assertion is designated for one-time use, this type of risk is mitigated.
SOA Security Manager enforces a single use policy using expiry data. Expiry data is time-based data about the assertion. The SAML 2.0 authentication scheme stores the expiry data in the session server. Expiry data verifies that a SAML 2.0 POST assertion is only used a single time.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |