OneTimeUse Clarifications

Stefan Rasmusson rasmusson.stefan at
Wed Nov 11 08:11:00 UTC 2020

Looking at people like Scott Cantor that has seen a lot of the SAML spec
and the implementations. I have seen several discussions on the use and
meaning of the OneTimeUse element.
My interpretation of the SAML spec is that it is not related to replay
protection and does not say anything about if the SP should be able to
receive the same assertion twice but only if this assertion can be used
several times internally in the SP. Is this a correct interpretation of
this element?
If this is the case, why does both the SAML security considerations and
then OWASP projects documentation on SAML recommend using it?
If it's not, what are the use cases of allowing an assertion to be replayed?

Lastly, any ideas on implementations generally handle this? As I understand
web browser profiles should discard duplicates even without this, but do
most implementations?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list