Golden SAML Attack: Hijacking Authentication in the Cloud

With the rapid adoption of cloud-based applications and services, attackers continuously develop sophisticated techniques to bypass authentication mechanisms. One such advanced technique is the Golden SAML attack, a method that allows adversaries to forge authentication tokens and gain unauthorized access to cloud services, even bypassing multi-factor authentication (MFA).

Originally uncovered as part of the SolarWinds supply chain attack, Golden SAML has become a significant threat to enterprises relying on Security Assertion Markup Language (SAML)-based authentication for federated identity management. In this blog, we’ll break down how the attack works, why it’s so dangerous, and what security teams can do to defend against it.

Understanding SAML Authentication

Before diving into the attack, let’s quickly understand how SAML authentication functions.

SAML is an XML-based open standard for exchanging authentication and authorization data between identity providers (IdPs) and service providers (SPs). This is widely used in single sign-on (SSO) environments, where users authenticate once with their identity provider and can access multiple services without logging in again.

SAML Authentication Workflow

1. User Requests Access – A user attempts to access a cloud application (e.g., AWS, Microsoft 365, Google Workspace).

2. Redirect to IdP – The service provider redirects the user to the identity provider for authentication.

3. Authentication and SAML Assertion Generation – After successful authentication, the IdP issues a SAML assertion (token) that confirms the user's identity and permissions.

4. Assertion Sent to SP – The assertion is sent back to the service provider.

5. Access Granted – The service provider verifies the assertion and grants the user access.

   
   

SAML assertions are digitally signed using the IdP’s private key, ensuring their authenticity.

How the Golden SAML Attack Works

A Golden SAML attack allows an attacker to forge SAML assertions without needing valid credentials. Instead of compromising user passwords, the attacker steals the private key of the IdP, which allows them to generate valid authentication tokens at will.

Steps in a Golden SAML Attack

1. Gain Access to the Identity Provider’s Server – The attacker first breaches the on-premises IdP (e.g., Active Directory Federation Services – ADFS) and extracts the private key.

2. Forge a SAML Assertion – Using the stolen private key, the attacker creates a fake SAML assertion for any user, even administrative accounts.

3. Sign the Assertion – The attacker signs the forged assertion with the stolen key, making it appear legitimate.

4. Send Assertion to a Service Provider – The attacker sends the malicious SAML token to a cloud service provider (e.g., AWS, Microsoft 365).

5. Gain Full Access Without MFA – Since the assertion is cryptographically valid, the service provider accepts it, granting the attacker full access to cloud resources without needing the actual credentials or MFA tokens.

   
   

Why Golden SAML is Dangerous

• Bypasses MFA: Since the attacker forges authentication responses, MFA mechanisms are completely bypassed.

• Long-Term Access: If the IdP’s private key isn’t rotated, attackers can continue generating valid tokens indefinitely.

• Privileged Access: Attackers can forge tokens for high-privilege users, escalating their access.

• Difficult to Detect: Since authentication logs appear normal (tokens are valid), traditional detection methods often fail.

Real-World Case: SolarWinds Attack

The SolarWinds breach, one of the most sophisticated nation-state cyberattacks, leveraged the Golden SAML technique to maintain persistent access to cloud environments. After injecting a backdoor into SolarWinds Orion software, attackers extracted SAML signing certificates from compromised networks, allowing them to forge authentication tokens for Microsoft 365 and Azure services.

This enabled them to access emails, files, and sensitive government data, all while bypassing traditional security measures.

Defending Against Golden SAML Attacks

Since Golden SAML exploits weaknesses in authentication infrastructure, organizations must adopt proactive security measures to mitigate the risk.

Secure the Identity Provider

• Protect SAML Signing Certificates – Store private keys securely using Hardware Security Modules (HSMs) or highly restricted access controls.

• Rotate Certificates Regularly – Regularly update and rotate signing certificates to minimize long-term exposure.

• Implement Least Privilege Access – Restrict access to IdP servers to only essential administrators.

Enhance Detection Capabilities

• Monitor SAML Token Creation Logs – Investigate anomalies such as tokens generated from unusual devices or locations.

• Enable Conditional Access Policies – Use Azure AD or AWS IAM policies to enforce additional verification mechanisms.

• Detect Privileged Access Token Abuse – Track unusual logins associated with administrative accounts.

Improve Incident Response Readiness

• Enable Audit Logging – Maintain comprehensive logs of authentication events in SIEM solutions.

• Simulate Attacks – Conduct red team exercises to assess resilience against Golden SAML tactics.

• Rapid Certificate Revocation – Prepare a response plan to revoke compromised signing certificates swiftly.

The Golden SAML attack is a potent method for hijacking authentication in cloud environments, allowing adversaries to bypass MFA, maintain long-term access, and escalate privileges invisibly. As cloud adoption grows, understanding and mitigating this attack is critical for security teams.

Happy cyber-exploration! 🚀🔒

Note: Feel free to drop your thoughts in the comments below - whether it's feedback, a topic you'd love to see covered, or just to say hi! Don’t forget to join the forum for more engaging discussions and stay updated with the latest blog posts. Let’s keep the conversation going and make cybersecurity a community effort!

-AJ