UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The designer shall use the NotOnOrAfter property when using the <SubjectConfirmation> element in a SAML assertion.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22028 APP3910 SV-25354r1_rule DCSQ-1 High
Description
When a SAML assertion is used with a <SubjectConfirmation> element, a begin and end time for the <SubjectConfirmation> should be set to prevent reuse of the message at a later time. Not setting a specific time period for the <SubjectConfirmation>, may grant immediate access to an attacker and results in an immediate loss of confidentiality. Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system associated data.
STIG Date
Application Security and Development Checklist 2014-04-03

Details

Check Text ( C-27024r2_chk )
Examine the contents of a SOAP message using the SubjectConfirmation element. All messages should contain the NotOnOrAfter element. This can be accomplished with a protocol analyzer like Wireshark.

1) If SOAP messages do not contain NotOnOrAfter elements, it is a finding
Fix Text (F-23093r2_fix)
Use the NotOnOrAfter condition when using the SubjectConfirmation element in a SAML assertion.