Description
In order to prevent SAML replay attacks Omicron should track previously seen SAML assertion IDs and use them as nonces when performing SAML authentication. The SAML Profiles specification 2.0 states the following in section 4.1.4.5:
The service provider MUST ensure that bearer assertions are not replayed, by maintaining the set of used
IDvalues for the length of time for which the assertion would be considered valid based on the
NotOnOrAfterattribute in the<SubjectConfirmationData>.
Section 1.3.4 of SAML Core specification v2.0 states uniqueness requirements for ID types (used by assertions, requests, and responses), so they should indeed work for this purpose for well-behaved IdPs.
There's a control in NIST SP 800-53 that speaks to this requirement, which is included in all NIST security baselines:
Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts; non-privileged accounts].
OWASP SAML Security Cheat Sheet:
Implement proper replay detection either at the response or assertion level. This will help counter the following attack: Replay (6.1.2)
OWASP ASVS 5.0 (not yet released)
Verify that SAML assertions are uniquely processed and used only once within the validity period to prevent replay attacks.
Examples
- I briefly looked for examples of specifically how others are solving this, I found this from an Okta help page:
While Okta does not support OneTimeUse, it does have a replay cache. This cache stores the assertion ID to prevent replay of assertions.
-- https://support.okta.com/help/s/article/okta-service-has-protection-against-replay-attacks?language=en_US