|
|
|
The single use policy feature prevents a WS-Federation assertion from being re-used at a Resource Partner to establish a second session.
Ensuring that an assertion is used only one time is an additional security measure for authenticating across a single sign-on environment. It mitigates security risks caused when an attacker acquires a security token response message from a user's browser that has already been used to establish a SiteMinder session. The attacker can then post the assertion to the WS-Federation Assertion Consumer Service at the Resource Partner to establish a second session.
A single use policy is enabled by a storage mechanism provided by the SiteMinder Session Server. This mechanism is expiry data. Expiry data ensures a single use policy for WS-Federation assertions by storing time-based data about an assertion. The WS-Federation authentication scheme uses the expiry data interface to access the expiry data in the Session Server database.
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |