Hi,
I am looking for some information on Auth0’s support for SAML as a service provider (not as an identify provider). Looking through the docs I found some good info, but still have a few questions. Does the service provider implementation support:
- Protection against replay attacks
- Validation of assertion timestamps
- Validation of client IP address consistency
Any help would be greatly appreciated.
Thanks
Bill
for anyone who ends up here, i have asked the first 2 points to support and they verified that auth0 have the controls.
Replay Attack Prevention:
Auth0 prevents replay attacks by tracking SAML response and assertion IDs. Our system checks if a response ID has been processed before and will reject duplicates.
Timestamp Validation:
Auth0 validates the NotBefore and NotOnOrAfter attributes within the SAML assertion’s Conditions element.
1 Like