Disable replay policy for one relying party

Howes, Nick N.Howes at warwick.ac.uk
Tue Mar 6 10:45:35 EST 2018

Thanks Scott - your explanation makes sense. In the end we've managed to teach the loadbalancer to fix the root issue in ADFS, so the browser will only make the one request.


From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott <cantor.2 at osu.edu>
Sent: 06 March 2018 15:16:47
To: Shib Users
Subject: RE: Disable replay policy for one relying party

> Ideally ADFS would send better cache headers but am looking into this in
> case that's not possible, since its AuthnRequest isn't signed so I don't think
> there's any danger in allowing a replayed request.

It's not about danger, it's about trapping somebody that hits the back button into artifically repeating a login, which I consider the worst possible outcome.

There is no exposed support for it. Various undocumented changes to the system can do it, but nothing supported and definitely nothing per-RP.

-- Scott

For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180306/887b3687/attachment.html>

More information about the users mailing list