是否应该多次接受相同的 SAML 响应? [英] Should the same SAML Response be accepted twice, multiple times?
问题描述
只要在允许的 SAML 令牌生命周期内,SAML 联合软件是否应该接受相同的 SAML 响应?
Should a SAML federation software accept the same SAML response as long as it is within the allowed SAML token lifetime?
简单来说: IDP(识别提供商)发出 SAML 响应,然后 SP(服务提供商)接受/处理它.可以在第一次使用后立即重新使用相同的未修改 SAML 响应吗?鉴于 SAML 发布时间戳在允许范围内.
In simpler terms: IDP (identify provider) issues a SAML response, then SP (service provider) accepts/processes it. Can the same unmodified SAML response be then re-used immediately after the first use? Given that the SAML issuance timestamp is within allowed range.
在安全方面,将 SAML 令牌(响应)限制为仅一次使用是有意义的,这样即使它被中间人"窃取 - 它也无法重复使用.但是为了实现这一点,软件需要在某处存储一些关于 SAML 响应的信息:序列号、整个事情的哈希?
Security-wise it makes sense to restrict a SAML token (response) to only one use, so that even if it is stolen by a "man-in-the-middle" - it cannot be reused. But in order to implement that, the software needs to store some info about the SAML response somewhere: serial number, a hash of the whole thing?
请提供一些链接,其中包含可能的解释和/或实施示例.
Please provide some links with the explanations on that is possible and/or examples of implementation.
谢谢!亚历克斯.
推荐答案
从安全角度来说,这有意义吗?当然.事实上,您可以使用断言的xs:ID"部分来帮助您(我公司的软件可以).
Does it make sense, security-wise? Sure. And in fact you can use the "xs:ID" portion of an assertion to assist you (my company's software does).
From Page 9 of CORE:
xs:ID 简单类型用于声明 SAML 标识符断言、请求和响应.声明为类型的值本规范中的 xs:ID 必须满足以下属性除了由 xs:ID 类型本身的定义强加的那些:
The xs:ID simple type is used to declare SAML identifiers for assertions, requests, and responses. Values declared to be of type xs:ID in this specification MUST satisfy the following properties in addition to those imposed by the definition of the xs:ID type itself:
• 任何分配标识符的一方都必须确保该方或任何其他方将意外地将相同的标识符分配给不同的数据对象.
• Any party that assigns an identifier MUST ensure that there is negligible probability that that party or any other party will accidentally assign the same identifier to a different data object.
• 当数据对象声明它具有特定标识符时,必须有一个这样的声明.
• Where a data object declares that it has a particular identifier, there MUST be exactly one such declaration.
我们从断言中获取该 ID,并将其放入具有 not-after 时间的数组中,然后在该时间到期后将其丢弃.这样就无法重放相同的断言.
We snatch that ID from an assertion, and drop it into an array with the not-after time, and then throw it out after that time expires. This way the same assertion can't be replayed.
在其他软件(尤其是自产软件)中,这完全由受众限制的 Not-Before 和 Not-On-Or-After 部分管理.由于某些软件仅依靠这些值,因此建议的方法是将这段时间设置得尽可能短.在完美的世界中,每个人都在使用时间服务器,他们的时钟偏差不会超过几秒钟.一分钟前和一分钟后的发布时间应该绰绰有余.虽然这里没有那么多安全",但可以管理".
In other software (especially home-grown stuff), this is entirely managed with the Not-Before and Not-On-Or-After portion of the Audience Restriction. Since some software counts solely on these values, the suggested method is to set this period as short as is reasonable. In the perfect world, everyone is using time servers, and their clock skew isn't more than a couple of seconds. A minute prior, and a minute post issue time should be far more than sufficient. While there isn't as much "security" here, it can be "managed".
这篇关于是否应该多次接受相同的 SAML 响应?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
