Spring Security Support a SAML 2.0 Replay Cache

Spring Security provides minimal validation for SAML 2.0 assertions. ResponseValidator and AssertionValidator, introduced in 6.5, simplify providing additional configuration options and as such we can consider supporting checking for replayed SAML 2.0 assertions.

Spring Security already supports replay defense by way of the InResponseTo attribute and also NotBefore and NotOnOrAfter attributes.

A stronger defense is to allow configuring a cache that retains assertion ids for a configured validity window; Spring Security would check against that cache.

Support may look like the following:

public static final class ReplayValidator 
    implements Converter<ResponseToken, Saml2ResponseValidatorResult> {
    private final Cache replayCache; 

    // ... check each assertion against the cache,
    // ... fail the entire response if any assertion is replayed
}