The designer shall ensure each unique asserting party provides unique assertion ID references for each SAML assertion.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-19704 | APP3890 | SV-21845r1_rule | IAIA-2 | Medium |
| Description |
|---|
| SAML assertion identifiers should be unique across a server implementation. Duplicate SAML assertion identifiers could lead to unauthorized access to a web service. |
| STIG | Date |
|---|---|
| Application Security and Development Checklist | 2014-12-22 |
Details
| Check Text ( C-24101r1_chk ) |
|---|
| If the application does not utilize SAML, this check is not applicable. Ask the application representative for the design document. Review the design document for web services using SAML assertions. Review the design document and verify SAML assertion identifiers are not reused by a single asserting party. 1) If the design document does exist, or does not indicate SAML assertion identifiers which are unique for each asserting party, it is a finding. |
| Fix Text (F-23060r1_fix) |
|---|
| Design each SAML asserting authority to use unique assertion identifiers. |