Hi,
I have a question regarding the replay check.
Iv’e noticed that there is a configuration option for replay check, but also noticed that the SAML Response can indicate OneTimeUse.
Did some tests and it seems that you ignore the SAML Response saml:OneTimeUse indication.
Meaning:
1. When ComponentSpace:DisableAssertionReplayCheck=false, and no saml:OneTimeUse - Not able to replay
2. When ComponentSpace:DisableAssertionReplayCheck=true, and saml:OneTimeUse - Replay allowed
Do I miss something?
Can you please elaborate on the relation between the two?
Thanks,
Rami
The DisableAssertionReplayCheck does as the name implies. It disables the assertion replay check meaning if a SAML assertion is received multiple times, this won’t result in an exception indicating a replay.
The OneTimeUse condition indicates the SAML assertion should be used immediately by the service provider and must not be retained for future use. This condition isn’t commonly used. We don’t check for this condition and implicitly all assertions are treated as one-time-use. This condition is not related to the assertion replay check.
[quote][/quote]
The DisableAssertionReplayCheck does as the name implies. It disables the assertion replay check meaning if a SAML assertion is received multiple times, this won't result in an exception indicating a replay.
The OneTimeUse condition indicates the SAML assertion should be used immediately by the service provider and must not be retained for future use. This condition isn't commonly used. We don't check for this condition and implicitly all assertions are treated as one-time-use. This condition is not related to the assertion replay check.
The OneTimeUse condition indicates the SAML assertion should be used immediately by the service provider and must not be retained for future use. This condition isn't commonly used. We don't check for this condition and implicitly all assertions are treated as one-time-use. This condition is not related to the assertion replay check.
Thanks!
On more question, is there a way to clean the cache of the SAML assertion you hold for Replay check? I need it for tests purposes.
Tnx.
You can grab an instance of the IIDCache interface using dependency injection and call the RemoveAsync method. For example:
using ComponentSpace.Saml2.Cache;
public class Test
{
private readonly IIDCache _idCache;
public Test(IIDCache idCache)
{
_idCache = idCache;
}
public async void ClearCache()
{
await idCache.RemoveAsync(“assertion ID goes here”);
}
}
This shouldn’t be done in production.