The designer will ensure the asserting party uses FIPS approved random numbers in the generation of SessionIndex in the SAML element AuthnStatement.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22030	APP3940	SV-25356r1_rule	DCSQ-1	Medium

Description
A predictable SessionIndex could lead to an attacker computing a future SessionIndex, thereby, possibly compromising the application.

STIG	Date
Application Security and Development Checklist	2014-12-22

Details

Check Text ( C-27028r1_chk )
Ask the application representative for the Design Document. Verify in the Design Document asserting parties for SAML assertions use FIPS approved random numbers in the generation of SessionIndex in the Element AuthnStatement. If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable. 1) If FIPS approved random numbers are not used in the generation of SessionIndex (in the Element AuthnStatement), it is a finding.

Check Text ( C-27028r1_chk )

Ask the application representative for the Design Document. Verify in the Design Document asserting parties for SAML assertions use FIPS approved random numbers in the generation of SessionIndex in the Element AuthnStatement.

If the application is a COTS/GOTS product or is composed of only COTS/GOTS products with no custom code, this check does not apply unless the application is being reviewed by or in conjunction with the COTS/GOTS vendor in which case this check is applicable.

1) If FIPS approved random numbers are not used in the generation of SessionIndex (in the Element AuthnStatement), it is a finding.

Fix Text (F-23094r1_fix)
Use FIPS approved random numbers in the generation of SessionIndex in the SAML element AuthnStatement.