nonce verification

[Johnny Bufu]

"9.2.1.  Verifying Discovered Information
[...]
To prevent replay attacks, the Relying Party SHOULD keep track of the  
nonce values included in positive assertions and never accept the  
same value more than once for the same association."

How should the nonce verification be done when in stateless mode (and  
there's no association)?

Should that read instead "for the same IdP endpoint"?

If not, are the nonce strings to be considered globally unique? That  
could create conflicts.


Johnny