Announcement Announcement Module
No announcement yet.
OneTimeUse condition of the SAML Assertion Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • OneTimeUse condition of the SAML Assertion


    When SP receive saml response from IDP, spring saml security code throws following exception

    org.opensaml.common.SAMLException: System cannot honor OneTimeUse condition of the SAML Assertion for WebSSO
    at fileConsumerImpl.verifyAssertionConditions(WebSSOP
    at fileConsumerImpl.verifyAssertion(WebSSOProfileCons
    at fileConsumerImpl.processAuthenticationResponse(Web

    And I checked the SAML response and I do see


    If I comment out the code then it works fine.

    For the same reason, <saml2:AudienceRestriction> also failing

    Any idea why spring saml code throws SAML exception on above both scenarios before creating SAMLCredetials object ?

    Any help would be appreciated.


  • #2
    Hi Parthi,

    The SAML specification says:

    The <OneTimeUse> condition element allows an authority to indicate that the information
    in the assertion is likely to change very soon and fresh information should be obtained for each use.
    The SAML Extension is not able to satisfy this requirement as the SAML assertion is re-used during whole session lifetime until the logout. Therefore it refuses to proceed with the SSO. In case IDP wants to limit validity of the assertion they should use NotBefore and NotOnAfter elements.

    You can customize verification of the Assertion conditions by overriding method verifyAssertionConditions in the WebSSOProlfileConsumerImpl.

    What IDP are you using, do you know what product is used to implement it?



    • #3
      Hi Vladimir,

      Thanks for the quick response. The IDP developed by our customer home-grown product.

      I will override the verifyAssertionConditions method.