johnny at sxip.com
Thu Sep 14 23:43:47 UTC 2006
"9.2.1. Verifying Discovered Information
To prevent replay attacks, the Relying Party SHOULD keep track of the
nonce values included in positive assertions and never accept the
same value more than once for the same association."
How should the nonce verification be done when in stateless mode (and
there's no association)?
Should that read instead "for the same IdP endpoint"?
If not, are the nonce strings to be considered globally unique? That
could create conflicts.
More information about the specs