CCNet

CCNet

Mar 1, 2024   •  3 min read

Strengthening cyber defense: protective measures against Golden and Silver SAML attacks

Strengthening cyber defense: protective measures against Golden and Silver SAML attacks

SAML is a basic component of modern authentication. For example, 63 percent of Entra ID Gallery applications rely on SAML for integration. Multi-cloud integrations with Amazon Web Services (AWS), Google Cloud Platform (GCP), and others are based on SAML. And many organizations continue to invest in SAML for SaaS and LOB applications due to its ease of implementation. The security threats represented by Golden SAML and Silver SAML exploit deeper technical vulnerabilities in the Security Assertion Markup Language (SAML) Single Sign-On (SSO) protocol. These attack techniques allow attackers to bypass authentication mechanisms by manipulating or forging SAML assertions, giving them unauthorized access to protected resources. Here is a detailed technical look at both techniques and the countermeasures.

Golden SAML

Core concept: Golden SAML attacks are based on attackers gaining access to the Active Directory Federation Services (AD FS) infrastructure. By gaining access to the AD FS server, attackers can extract the token signing certificate and private key. These critical security elements allow them to sign SAML assertions that are accepted by trusted parties as if they came from a legitimate identity provider (IdP).

This revision focuses on keeping SAML and Active Directory Federation Services (AD FS) as the emphasized keywords, aligning with likely SEO priorities based on their importance and relevance to the subject matter.

Diagram of SAML authentication between service provider, browser and Entra ID identity provider.

Technical implementation: Once an attacker has extracted the token signing certificate and the corresponding private key, they can create a SAML assertion for each identity. This involves creating an authentication token that contains attributes such as user identity, permissions, and roles. Since the token is signed with a legitimate key, the attacker can impersonate any user to any Service Provider (SP) that trusts this IdP.

Silver SAML Core concept: Silver SAML extends the Golden SAML attack technique to cloud-based identity services such as Microsoft Entra ID. The main difference is that Silver SAML exploits the use of externally generated certificates to sign SAML responses. If an attacker gets hold of the private key of such a certificate, they can forge SAML responses that are accepted by cloud-based identity services.

Flowchart of the SAML-based authentication sequence between service provider, user browser and Entra ID identity provider.

Esecuzione tecnica: The attack begins with the receipt or compromise of an externally generated signature certificate used for the SAML signature. Using the private key of the certificate, the attacker can generate and sign valid SALM signatures. These forged responses allow the attacker to impersonate a legitimate user and gain access to the corresponding cloud-based resources.

Countermeasures: Use of self-signed certificates: One of the most effective countermeasures is the exclusive use of self-signed certificates generated directly by the identity services. These certificates are more secure because the private key never leaves the controlled environments of the service provider.

Diagram of a SAML security incident with falsified SAML response in the authentication process between service provider and Entra ID.

Strict management of certificates: Organizations must implement strict management of signing certificates. This includes secure storage, restriction of access to private keys, and regular renewal of certificates.

Simplified scheme of a SAML attacker behavior with a fake SAML response from the browser to the service provider.

Monitoring and alerting: The implementation of monitoring systems that detect unusual authentication attempts and trigger alarms is crucial. This helps to identify potential attacks at an early stage and initiate appropriate countermeasures.

Training and awareness: Training IT staff and end users on the risks and signs of attacks such as Golden and Silver SAML is invaluable. A sound understanding of the threat landscape and appropriate security practices can help reduce the risk of security breaches.

Regular security audits: Conducting regular security audits and assessments of the infrastructure, including reviewing the configuration of identity providers and certificates used, is critical to identifying and remediating potential vulnerabilities.

Conclusion: The technical nature and potential impact of Golden and Silver SAML attacks require a comprehensive security strategy that includes both preventative and reactive measures. By implementing rigorous certificate management practices, regularly monitoring authentication processes, and strengthening cyber defense through protective measures such as training IT staff and end users on the risks and signs of attacks, organizations can strengthen their defense against these sophisticated attack techniques.