The application must ensure each unique asserting party provides unique assertion ID references for each SAML assertion.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-222401	APSC-DV-000210	SV-222401r960759_rule		Medium

Description

STIG	Date
Application Security and Development Security Technical Implementation Guide	2025-02-12

Details

Check Text (C-24071r493111_chk)

Ask the application representative for the design document.

Review the design document for web services using SAML assertions.

If the application does not utilize SAML assertions, this check is not applicable.

Review the design document and verify SAML assertion identifiers are not reused by a single asserting party.

If the design document does not exist, or does not indicate SAML assertion identifiers which are unique for each asserting party, this is a finding.

Fix Text (F-24060r493112_fix)

Design and configure each SAML assertion authority to use unique assertion identifiers.