Disable replay policy for one relying party

Cantor, Scott cantor.2 at osu.edu
Tue Mar 6 10:16:47 EST 2018


> Ideally ADFS would send better cache headers but am looking into this in
> case that's not possible, since its AuthnRequest isn't signed so I don't think
> there's any danger in allowing a replayed request.

It's not about danger, it's about trapping somebody that hits the back button into artifically repeating a login, which I consider the worst possible outcome.

There is no exposed support for it. Various undocumented changes to the system can do it, but nothing supported and definitely nothing per-RP.

-- Scott



More information about the users mailing list