In the ever-evolving landscape of cybersecurity, the discovery of the “Silver SAML” technique marks a significant development in the methodology of cyber threats targeting identity systems. This technique, a variation of the previously documented “Golden SAML,” presents a novel approach for threat actors to forge SAML response tokens. Unlike its predecessor, which required access to Active Directory Federation Services (ADFS), Silver SAML operates in environments that allow for externally generated SAML signing certificates, such as Microsoft Entra ID (formerly Azure AD).

Understanding Silver SAML and Its Impact

The “Golden SAML” attack vector, first identified by CyberArk in 2017, gained notoriety during the SolarWinds breach in 2020. It involved stealing ADFS certificates to create SAML tokens, granting attackers authentication capabilities that bypassed conventional security measures like passwords and two-factor authentication. This facilitated unauthorized access to federated services, allowing attackers to assign themselves elevated privileges within a network.

Silver SAML, as uncovered by Semperis, advances this threat without necessitating access to ADFS. It leverages the acceptance of externally generated signing certificates in SAML architectures, enabling attackers to forge SAML tokens and gain unauthorized access to applications within the target network. This is particularly concerning in scenarios where the certificate is generated within environments like Microsoft Entra ID, where the private key cannot be exported, rendering SAML response forging impracticable without it.

The distinction between Golden and Silver SAML is critical: while Golden SAML can be used to access Entra ID and potentially other applications, Silver SAML’s threat is confined to application access, not directly compromising Entra ID itself.

Recommendations for Enhancing Security

In light of the potential risks posed by Silver SAML, several recommendations are outlined to bolster defenses against such threats:

  • Utilize Entra ID Self-Signed Certificates: To mitigate the risk of attackers using externally generated certificates, organizations should use Entra ID self-signed certificates for SAML signing purposes.
  • Monitor and Limit Access: The ability of Global Administrators, Application Administrators, Cloud Application Administrators, and delegated application owners to modify signing keys should be restricted. Changes to SAML signing keys should be closely monitored, and ownership over applications should be limited to essential personnel.
  • Monitor Entra ID Audit Logs: Organizations should scrutinize changes to PreferredTokenSigningKeyThumbprint under ApplicationManagement and correlate these to Add service principal credential events related to the service principal. Implementing change control processes for certificate rotation events is also advisable.
  • Consider Using OIDC for Authentication: For applications supporting both SAML and OpenID Connect (OIDC) for authentication, switching the integration to OIDC could help mitigate the threat posed by Silver SAML. The feasibility of this change depends on how the standards are implemented by the application developer.
  • Implement Application-Side Protections: Application developers can fortify their defenses against such attacks by requiring Service Provider (SP)-initiated flows, ensuring that responses contain an InResponseTo value correlating to a SAML request, observing the time window for receiving a SAML response, and providing the option to use OIDC for integration.

Ending Note

The emergence of the Silver SAML technique highlights the nuanced and sophisticated nature of modern cybersecurity threats. Its severity and impact largely depend on an organization’s security posture and the extent of its SAML implementation. This development underscores the importance of vigilant security practices, particularly in the management of certificates within SAML architectures. By adhering to the recommended security measures, organizations can enhance their resilience against this and similar threats, safeguarding their identity systems against unauthorized access.

Also Read: