I have tried to do a replay attack on my own integration of nemlog-in 3 authentication, but i'm having trouble figuring out how to implement protection against it. I have intercepted the request to my assertion endpoint, after login on the IdP, and then saved the SAML response for later use.
If i login again and replace the SAML response in my new assertion request with the old SAML response, then i'm still getting authenticated. I expected to get rejected, since it's old and have already been used. Do you have built in protection against replay attacks in your saml2 NuGet package or do i have to keep track of received SAML responses myself?
You need to enable replay validation
DetectReplayedTokens(default disabled) https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/src/ITfoxtec.Identity.Saml2/Configuration/Saml2Configuration.cs#L55.NET Core / .NET 5
And set the
TokenReplayCache/ implement theITokenReplayCachehttps://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/src/ITfoxtec.Identity.Saml2/Configuration/Saml2Configuration.cs#L48.NET Framework
And set the
TokenReplayCache/ implement theIdentityModelCacheshttps://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/src/ITfoxtec.Identity.Saml2/Configuration/Saml2Configuration.cs#L45 and set theTokenReplayCacheExpirationPeriodhttps://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/src/ITfoxtec.Identity.Saml2/Configuration/Saml2Configuration.cs#L46