The Golden SAML threat vector enables an attacker to create a forged SAML “authentication object,” and authenticate across every service that uses SAML 2.0 protocol as an SSO mechanism. In a Golden SAML attack, the attacker can gain access to any application that supports SAML authentication with any privileges. This allows the attacker access to targeted web based applications .
Why is the Golden SAML threat vector important? Remediation has been painfully slow. The vulnerability was first publicly revealed by researchers in 2017 allows hackers to fake the identity of authorized employees to gain access to customers’ cloud services. The technique was one of many reportedly used in the SolarWinds hack.
Why is Golden SAML newsworthy? Due in part to the impact that SAML based attacks have had on IT systems supporting the US Federal government; elected officials have proposed various legislative solutions. In February 2021 multiple media outlets reported that US Senator Ron Wyden and ‘security experts’ have asserted that Microsoft’s failure to fix known problems with its cloud software facilitated the massive SolarWinds hack that compromised at least nine federal government agencies.
The Security Assertion Markup Language (SAML), is an open standard for exchanging authentication and authorization data between parties, such as between an identity provider (Idp) and a service provider. It is frequently used as part of web browser single sign-on (SSO) to cloud based services. For example, in Microsoft Office 365 as a user opens a Word document SAML is used to check to ensure the user has an Office 365 license. A common way of conducting that check is to verify that the users account exists in Active Directory. Using SAML Microsoft Active Directory can be an Identity Provider.
References