python3-saml-django icon indicating copy to clipboard operation
python3-saml-django copied to clipboard
verified publisher icon penn-state-dance-marathon

OneTimeUse Condition Not Respected

Open ngearhart opened this issue 3 months ago • 1 comments

Based on a discussion on the underlying python3-saml library, we are not currently saving "used" assertions anywhere. This means the same SAMLResponse can be used any number of times as long as it has not expired.

This is a low-severity problem, since intercepting and replaying a SAMLResponse is a very advanced attack. In fact, it might be so complex to store this that it is not worth implementing (would likely need to introduce a model and migration). If an attacker is in a position to grab the SAMLResponse, they probably can intercept much more useful traffic (like your username and password sent to the IdP).

I will look into implementing this over the coming days.

ngearhart avatar Sep 30 '25 00:09 ngearhart

Turns out django-allauth solved this - see related discussion here.

ngearhart avatar Sep 30 '25 01:09 ngearhart