Announcement Announcement Module
Collapse
No announcement yet.
OneTimeUse condition of the SAML Assertion Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • OneTimeUse condition of the SAML Assertion

    Hello,

    When SP receive saml response from IDP, spring saml security code throws following exception

    org.opensaml.common.SAMLException: System cannot honor OneTimeUse condition of the SAML Assertion for WebSSO
    at org.springframework.security.saml.websso.WebSSOPro fileConsumerImpl.verifyAssertionConditions(WebSSOP rofileConsumerImpl.java:478)
    at org.springframework.security.saml.websso.WebSSOPro fileConsumerImpl.verifyAssertion(WebSSOProfileCons umerImpl.java:298)
    at org.springframework.security.saml.websso.WebSSOPro fileConsumerImpl.processAuthenticationResponse(Web SSOProfileConsumerImpl.java:202)

    And I checked the SAML response and I do see

    <saml2:OneTimeUse/>

    If I comment out the code then it works fine.

    For the same reason, <saml2:AudienceRestriction> also failing

    Any idea why spring saml code throws SAML exception on above both scenarios before creating SAMLCredetials object ?

    Any help would be appreciated.

    Thanks,
    Parthi

  • #2
    Hi Parthi,

    The SAML specification says:

    The <OneTimeUse> condition element allows an authority to indicate that the information
    in the assertion is likely to change very soon and fresh information should be obtained for each use.
    The SAML Extension is not able to satisfy this requirement as the SAML assertion is re-used during whole session lifetime until the logout. Therefore it refuses to proceed with the SSO. In case IDP wants to limit validity of the assertion they should use NotBefore and NotOnAfter elements.

    You can customize verification of the Assertion conditions by overriding method verifyAssertionConditions in the WebSSOProlfileConsumerImpl.

    What IDP are you using, do you know what product is used to implement it?

    Vladi

    Comment


    • #3
      Hi Vladimir,

      Thanks for the quick response. The IDP developed by our customer home-grown product.

      I will override the verifyAssertionConditions method.

      Thanks,
      Parthi

      Comment

      Working...
      X