UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The designer shall ensure each unique asserting party provides unique assertion ID references for each SAML assertion.


Overview

Finding ID Version Rule ID IA Controls Severity
V-19704 APP3890 SV-21845r1_rule IAIA-2 Medium
Description
SAML assertion identifiers should be unique across a server implementation. Duplicate SAML assertion identifiers could lead to unauthorized access to a web service.
STIG Date
Application Security and Development Checklist 2014-12-22

Details

Check Text ( C-24101r1_chk )
If the application does not utilize SAML, this check is not applicable.

Ask the application representative for the design document. Review the design document for web services using SAML assertions. Review the design document and verify SAML assertion identifiers are not reused by a single asserting party.

1) If the design document does exist, or does not indicate SAML assertion identifiers which are unique for each asserting party, it is a finding.
Fix Text (F-23060r1_fix)
Design each SAML asserting authority to use unique assertion identifiers.