[keycloak-user] Add OneTimeUse condition to SAMLResponse
Mark Pardijs
mark.pardijs at topicus.nl
Wed Feb 1 08:35:23 EST 2017
OK, I filed https://issues.jboss.org/browse/KEYCLOAK-4360 ;)
> Op 1 feb. 2017, om 12:21 heeft Hynek Mlnarik <hmlnarik at redhat.com> het volgende geschreven:
>
> Currently there's no support for OneTimeUse condition in SAML. Feel free to open feature request JIRA.
>
> --Hynek
>
> On 02/01/2017 12:13 PM, Mark Pardijs wrote:
>> Hi,
>>
>> Is it possible to add an client configuration option to include the <OneTimeUse> condition in the SAMLResponse sent to a client? Currently this element is not included, but I’ve clients that require the use of the OneTimeUse condition, as recommended in the SAML security considerations in paragraph 6.4.4:
>>
>> http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf
>>
>> I think the fix itself is an easy one ( add assertion.getConditions().addCondition(new OneTimeUseType()); to SAML2LoginResponseBuilder) but it might be useful to make this option configurable.
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
More information about the keycloak-user
mailing list