UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The designer shall ensure if a OneTimeUse element is used in an assertion, there is only one used in the Conditions element portion of an assertion.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22032 APP3930 SV-25358r1_rule DCSQ-1 Medium
Description
Multiple OneTimeUse elements used in a SAML assertion can lead to elevation of privileges, if the application does not process SAML assertions correctly.
STIG Date
Application Security and Development Checklist 2014-12-22

Details

Check Text ( C-27027r1_chk )
Examine the contents of a SOAP message using the OneTimeUse element, all messages should contain only one instance of a OneTimeUse element in a SAML assertion. This can be accomplished using a protocol analyzer such as WireShark

1) If SOAP message uses more than one, OneTimeUse element in a SAML assertion, it is a finding.
Fix Text (F-23100r1_fix)
When using OneTimeUse elements in a SAML assertion only allow one, OneTimeUse element to be used in the Conditions element of a SAML assertion.