Federation - No Use of Assertion Lifetime to Limit Length of Subscriber Session with RP, v1.0

Identity Providers must generate all assertions with short lifetimes (minimize time between issuance and expiration time) to minimize the risk of replay attacks.

Assessment Step

1
Assertion Expiration Time (AssertionExpirationTime)
Does the IdP generate assertions with appropriately short expiration times? It should only be valid long enough for RPs to process and establish a session, the RPs session is not limited by the assertions expiration time.
Artifact
A1
Provide evidence (e.g. policies, operational samples) that the IdP generates assertions with all the proper data.

Conformance Criteria (1)

C1
The assertion's lifetime is the time between its issuance and its expiration. This lifetime needs to be long enough to allow the RP to process the assertion and create a local application session for the subscriber, but should not be longer than necessary for such establishment. Long-lived assertions have a greater risk of being stolen or replayed; a short assertion lifetime mitigates this risk. Assertion lifetimes SHALL NOT be used to limit the session at the RP.
Citation
NIST SP 800-63C
Section 6