Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The designer shall use the NotOnOrAfter property when using the <SubjectConfirmation> element in a SAML assertion.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-22028 | APP3910 | SV-25354r1_rule | DCSQ-1 | High |
| Description |
|---|
| When a SAML assertion is used with a <SubjectConfirmation> element, a begin and end time for the <SubjectConfirmation> should be set to prevent reuse of the message at a later time. Not setting a specific time period for the <SubjectConfirmation>, may grant immediate access to an attacker and results in an immediate loss of confidentiality. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data. |
| STIG | Date |
|---|---|
| Application Security and Development STIG | 2014-04-03 |
Details
| Check Text ( C-27024r2_chk ) |
|---|
| Examine the contents of a SOAP message using the SubjectConfirmation element. All messages should contain the NotOnOrAfter element. This can be accomplished with a protocol analyzer like Wireshark. 1) If SOAP messages do not contain NotOnOrAfter elements, it is a finding |
| Fix Text (F-23093r2_fix) |
|---|
| Use the NotOnOrAfter condition when using the SubjectConfirmation element in a SAML assertion. |