The application must ensure each unique asserting party provides unique assertion ID references for each SAML assertion.
An XCCDF Rule
Description
SAML is a standard for exchanging authentication and authorization data between security domains. SAML uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, (identity provider), and a SAML consumer, (service provider). SAML assertions are usually made about a subject, (user) represented by the <Subject> element. SAML assertion identifiers should be unique across a system implementation. Duplicate SAML assertion identifiers could lead to unauthorized access to a web service.
- ID
- SV-222401r960759_rule
- Version
- APSC-DV-000210
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
Design and configure each SAML assertion authority to use unique assertion identifiers.