OneTimeUse condition of the SAML Assertion

[parthi73]

Hello,

When SP receive saml response from IDP, spring saml security code throws following exception

org.opensaml.common.SAMLException: System cannot honor OneTimeUse condition of the SAML Assertion for WebSSO
at org.springframework.security.saml.websso.WebSSOPro fileConsumerImpl.verifyAssertionConditions(WebSSOP rofileConsumerImpl.java:478)
at org.springframework.security.saml.websso.WebSSOPro fileConsumerImpl.verifyAssertion(WebSSOProfileCons umerImpl.java:298)
at org.springframework.security.saml.websso.WebSSOPro fileConsumerImpl.processAuthenticationResponse(Web SSOProfileConsumerImpl.java:202)

And I checked the SAML response and I do see

<saml2:OneTimeUse/>

If I comment out the code then it works fine.

For the same reason, <saml2:AudienceRestriction> also failing

Any idea why spring saml code throws SAML exception on above both scenarios before creating SAMLCredetials object ?

Any help would be appreciated.

Thanks,
Parthi

[vsch]

Hi Parthi,

The SAML specification says:

The <OneTimeUse> condition element allows an authority to indicate that the information
in the assertion is likely to change very soon and fresh information should be obtained for each use.

The SAML Extension is not able to satisfy this requirement as the SAML assertion is re-used during whole session lifetime until the logout. Therefore it refuses to proceed with the SSO. In case IDP wants to limit validity of the assertion they should use NotBefore and NotOnAfter elements.

You can customize verification of the Assertion conditions by overriding method verifyAssertionConditions in the WebSSOProlfileConsumerImpl.

What IDP are you using, do you know what product is used to implement it?

Vladi

[parthi73]

Hi Vladimir,

Thanks for the quick response. The IDP developed by our customer home-grown product.

I will override the verifyAssertionConditions method.

Thanks,
Parthi