DISA STIGS Viewer

The application must use both the NotBefore and NotOnOrAfter elements or OneTimeUse element when using the Conditions element in a SAML assertion.

Overview

Finding ID Version Rule ID IA Controls Severity
V-222404 APSC-DV-000240 SV-222404r960759_rule   High
Description
STIG Date
Application Security and Development Security Technical Implementation Guide 2025-02-12

Details

Check Text (C-24074r493120_chk)
Ask the application representative for the design document.

Review the design document for web services using SAML assertions.

If the application does not utilize SAML assertions, this check is not applicable.

Examine the contents of a SOAP message using the <Conditions> element; all messages should contain the <NotBefore> and <NotOnOrAfter> or <OneTimeUse> element when in a SAML Assertion. This can be accomplished using a protocol analyzer such as Wireshark.

If SOAP using the <Conditions> element does not contain <NotBefore> and <NotOnOrAfter> or <OneTimeUse> elements, this is a finding.
Fix Text (F-24063r493121_fix)
Design and configure the application to implement the use of the <NotBefore> and <NotOnOrAfter> or <OneTimeUse> when using the <Conditions> element in a SAML assertion.