Questions about replay attacks

[Malshtur]

Hello,

I am working on supporting SAML2 in a Django application.

Concerned about security aspects of the protocol, I would like to confirm my understanding of your toolkit before making any mistake. When it comes to replay attacks, what I understand so far is that get_last_request_id, get_last_message_id and get_last_assertion_id provides access to the last processed ones.

It seems to me that it is not enough. Let me explain. These attacks are not easy to pull off, I know.
But what if I have two valid SAML2 flows during a short time frame so that I can replay the first assertion before its expiration ?
What I understand, but i may be wrong, is that the get_last_*_id methods would provide ids about the second flow. So if the first one is replayed in the good time frame, the ids are not traced anymore and the session is granted.

Please forgive me and let me know if I completly misundertood the source code.

[pitbulk]

Sorry for the delayed reply.

To avoid replay attacks, the idea is to register the get_last_message_id // get_last_assertion_id of the validated SAMLResponses during the time you consider the SAMLResponse will fail due to expiration.

Right now the toolkit has 300s
https://github.com/SAML-Toolkits/python3-saml/blob/master/src/onelogin/saml2/constants.py#L20

So if you store the ids for 10 min, and you reject automatically the response/assertion already processed, you will be ok