UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The designer will ensure the asserting party uses FIPS approved random numbers in the generation of SessionIndex in the SAML element AuthnStatement.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22030 APP3940 SV-25356r1_rule DCSQ-1 Medium
Description
A predictable SessionIndex could lead to an attacker computing a future SessionIndex, thereby, possibly compromising the application.
STIG Date
Application Security and Development Checklist 2014-04-03

Details

Check Text ( C-27028r1_chk )
Ask the application representative for the Design Document. Verify in the Design Document asserting parties for SAML assertions use FIPS approved random numbers in the generation of SessionIndex in the Element AuthnStatement.

If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable.

1) If FIPS approved random numbers are not used in the generation of SessionIndex (in the Element AuthnStatement), it is a finding.

Fix Text (F-23094r1_fix)
Use FIPS approved random numbers in the generation of SessionIndex in the SAML element AuthnStatement.