SAML Replay attack


How to block SAML Replay attack to an OKTA integrated application.

The SAML response from Okta has the IssueInstant, NotBefore and NotOnOrAfter timestamps (usually, with a difference of 5 mins). So any replay after 5 mins is automatically void, unless your app does not honor NotOnOrAfter. If you are trying to implement some custom logic to not have the SAML replayed within the 5 mins window, you can probably add a logic that checks and tracks the SessionIndex which should be unique. But I would think that’s an overkill.