SAML provides protection from replay attacks by requiring the use of SSL encryption when transmitting assertions and messages specifically to prevent interception of assertions.
The system doesn′t need any password list. Using only one password,a registered user can log in the different services and get session keys. This scheme can withstand replay attack and impersonation attack.
A replay attack is where a valid message is intercepted and replayed back to the service.
As mentioned above, a replay attack by some malicious third party is the most convenient attack.
There are subtle issues of cryptography, replay attacks, and various other forms of attack that are easily overlooked.
While the id is randomly generated, it is still subject to replay attacks because it does not timeout (except when idle).
However, SSL can protect applications from replay attacks.