It seems there is no support for SAML token replay detection in a clustered / load-balanced environment, such as Azure. The token cache looks to be per-instance, which means any other server that has not seen the token in question would not be able to reject the request as a duplicate.
Is this a known issue? Or...have I missed some magic configuration options?
Thanks!