Re: [keycloak-user] Add OneTimeUse condition to SAMLResponse

Hi, Is it possible to add an client configuration option to include the <OneTimeUse> condition in the SAMLResponse sent to a client? Currently this element is not included, but I’ve clients that require the use of the OneTimeUse condition, as recommended in the SAML security considerations in paragraph 6.4.4: http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf I think the fix itself is an easy one ( add assertion.getConditions().addCondition(new OneTimeUseType()); to SAML2LoginResponseBuilder) but it might be useful to make this option configurable. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user