I am trying to connect to a custom cas 4 implementation with spring security saml. Spring lib throws an exception because of the assertion condition is one time use. I commented it out extending the base class and I made it work. I wondering why there is such a limitation on the library. Thanks for any help. Being more specific in the method verifyAssertionConditions of the class class WebSSOProfileConsumerImpl there is this code:
else if (conditionQName.equals(OneTimeUse.DEFAULT_ELEMENT_NAME)) {
throw new SAMLException("System cannot honor OneTimeUse condition of the Assertion for WebSSO");
}
Spring SAML uses the received Assertion throughout its validity period and cannot be forced to request a new one with possibly different values (e.g. access roles) - which is my understanding of the intention of OneTimeUse condition in this context (details are in SAML 2 core). For that reason Spring SAML rejects SAML Responses which have this condition set.
You can change the behavior by overriding verifyAssertionConditions in WebSSOProfileConsumerImpl, filtering the condition out and calling super with the remaining ones.