I downloaded the MVC SSO samples from your website, in that i’m not seeing any code for IIDCache implementation, the questions i have are
Question 1 : Whether implementation of IIDCache is mandatory ?
Question 2 : If Q1 is true , by default you have implemented InMemoryIDCache in the MVC sample ?
Question 3 : In Webfarm scenario if DatabaseIDCache is implemented, only identity provider needs access to the SQL server database or Relying party / SP also needs access to SQL server database ?
Question 4: Can you please point me to a diagram depicting Replay attack detection ?
Thank you in advance…
- Implementing the IIDCache is not mandatory.
2. By default we use the InMemoryIDCache. This is perfectly fine in a single server deployment. In a web farm deployment the DatabaseIDCache should be used.
3. The IIDCache is used to detect assertion replay attacks. It’s used by the replying party/SP only and is not needed by the claims provider/IdP.
4. The IIDCache keeps track of previously received SAML assertion IDs. Each SAML assertion should have a unique ID. When a SAML assertion is received we check if its ID exists in the IIDCache. If it does then we consider this an error (possibly a replay attack or an accidental resubmission of a previous SAML assertion).
@Admin : Thanks for your reply, Am i right in saying IIDCache implementation is not mandatory in Web farm scenario too, If it is implemented, it will help prevent replay attack.
The IIDCache is not mandatory but highly recommended when acting as the service provider. To be effective in a web farm deployment the IIDCache should be stored centrally and accessible from all servers in the farm. The DatabaseIDCache stores the IDs in a database and is intended for use within a web farm. However, you can implement your own IIDCache if you have some other centralized storage mechanism. If you don’t use an IIDCache then you won’t be able to detect assertion replay attacks.