pythonthings
diff --git a/‎README.md‎
Lines changed: 13 additions & 0 deletions b/‎README.md‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎src/onelogin/saml2/auth.py‎
Lines changed: 9 additions & 0 deletions b/‎src/onelogin/saml2/auth.py‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎src/onelogin/saml2/response.py‎
Lines changed: 11 additions & 0 deletions b/‎src/onelogin/saml2/response.py‎
Lines changed: 11 additions & 0 deletions
@@ -854,6 +854,13 @@ The 'x509certMulti' is an array with 2 keys:
 - 'encryption' An array with one unique cert that will be used to encrypt data to be sent to the IdP.
 
 
+### Replay attacks ###
+
+In order to avoid replay attacks, you can store the ID of the SAML messages already processed, to avoid processing them twice. Since the Messages expires and will be invalidated due that fact, you don't need to store those IDs longer than the time frame that you currently accepting.
+
+Get the ID of the last processed message/assertion with the get_last_message_id/get_last_assertion_id method of the Auth object.
+
+
 ### Main classes and methods ###
 
 Described below are the main classes and methods that can be invoked from the SAML2 library.
@@ -885,6 +892,9 @@ Main class of OneLogin Python Toolkit
 * ***set_strict*** Set the strict mode active/disable.
 * ***get_last_request_xml*** Returns the most recently-constructed/processed XML SAML request (AuthNRequest, LogoutRequest)
 * ***get_last_response_xml*** Returns the most recently-constructed/processed XML SAML response (SAMLResponse, LogoutResponse). If the SAMLResponse had an encrypted assertion, decrypts it.
+* ***get_last_message_id*** The ID of the last Response SAML message processed.
+* ***get_last_assertion_id*** The ID of the last assertion processed.
+* ***get_last_assertion_not_on_or_after*** The NotOnOrAfter value of the valid SubjectConfirmationData node (if any) of the last assertion processed (is only calculated with strict = true)
 
 ####OneLogin_Saml2_Auth - authn_request.py####
 
@@ -913,6 +923,9 @@ SAML 2 Authentication Response class
 * ***validate_timestamps*** Verifies that the document is valid according to Conditions Element
 * ***get_error*** After execute a validation process, if fails this method returns the cause
 * ***get_xml_document*** Returns the SAML Response document (If contains an encrypted assertion, decrypts it).
+* ***get_id*** the ID of the response
+* ***get_assertion_id*** the ID of the assertion in the response
+* ***get_assertion_not_on_or_after*** the NotOnOrAfter value of the valid SubjectConfirmationData if any
 
 ####OneLogin_Saml2_LogoutRequest - logout_request.py####
 
 
@@ -65,6 +65,7 @@ def __init__(self, request_data, old_settings=None, custom_base_path=None):
         self.__last_assertion_id = None
         self.__last_request = None
         self.__last_response = None
+        self.__last_assertion_not_on_or_after = None
 
     def get_settings(self):
         """
@@ -109,6 +110,7 @@ def process_response(self, request_id=None):
                 self.__last_message_id = response.get_id()
                 self.__last_assertion_id = response.get_assertion_id()
                 self.__authenticated = True
+                self.__last_assertion_not_on_or_after = response.get_assertion_not_on_or_after()
 
             else:
                 self.__errors.append('invalid_response')
@@ -255,6 +257,13 @@ def get_session_expiration(self):
         """
         return self.__session_expiration
 
+    def get_last_assertion_not_on_or_after(self):
+        """
+        The NotOnOrAfter value of the valid SubjectConfirmationData node
+        (if any) of the last assertion processed
+        """
+        return self.__last_assertion_not_on_or_after
+
     def get_errors(self):
         """
         Returns a list with code errors if something went wrong
 
@@ -39,6 +39,7 @@ def __init__(self, settings, response):
         self.document = OneLogin_Saml2_XML.to_etree(self.response)
         self.decrypted_document = None
         self.encrypted = None
+        self.valid_scd_not_on_or_after = None
 
         # Quick check for the presence of EncryptedAssertion
         encrypted_assertion_nodes = self.__query('/samlp:Response/saml:EncryptedAssertion')
@@ -245,6 +246,10 @@ def is_valid(self, request_data, request_id=None, raise_exceptions=False):
                             parsed_nb = OneLogin_Saml2_Utils.parse_SAML_to_time(nb)
                             if parsed_nb > OneLogin_Saml2_Utils.now():
                                 continue
+
+                        if nooa:
+                            self.valid_scd_not_on_or_after = OneLogin_Saml2_Utils.parse_SAML_to_time(nooa)
+
                         any_subject_confirmation = True
                         break
 
@@ -475,6 +480,12 @@ def get_session_not_on_or_after(self):
             not_on_or_after = OneLogin_Saml2_Utils.parse_SAML_to_time(authn_statement_nodes[0].get('SessionNotOnOrAfter'))
         return not_on_or_after
 
+    def get_assertion_not_on_or_after(self):
+        """
+        Returns the NotOnOrAfter value of the valid SubjectConfirmationData node if any
+        """
+        return self.valid_scd_not_on_or_after
+
     def get_session_index(self):
         """
         Gets the SessionIndex from the AuthnStatement