|
|
|
The single use policy feature prevents SAML 2.0 assertions that arrive via POST binding from being re-used at a Service Provider to establish a second session.
Note: Single use policy feature is enabled by default when you select the HTTP-POST binding.
Ensuring that an assertion is used only one time is an additional security measure for authenticating across a single sign-on environment. It mitigates security risks caused when an attacker acquires a SAML assertion from a user's browser that has already been used to establish a SiteMinder session. The attacker can then POST the assertion to the Assertion Consumer Service at the Service Provider to establish a second session.
A single use policy is enabled by a storage mechanism provided by the SiteMinder Session Server. This mechanism is expiry data. Expiry data ensures a single use policy for SAML 2.0 POST-binding assertions by storing time-based data about an assertion. The SAML 2.0 authentication scheme uses the expiry data interface to access the expiry data in the Session Server database.
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |