What is Golden SAML?

The Golden SAML threat vector enables an attacker to create a forged SAML “authentication object,” and authenticate across every service that uses SAML 2.0 protocol as an SSO mechanism. In a golden SAML attack, the attacker can gain access to any application that supports SAML authentication (e.g. Azure, AWS, vSphere, etc.) with any privileges they desire and be any user on the targeted application (even one that is non-existent in the application in some cases).

Why is the Golden SAML threat vector important? The vulnerability was first publicly revealed by researchers in 2017 allows hackers to fake the identity of authorized employees to gain access to customers’ cloud services. The technique was one of many reportedly used in the SolarWinds hack.

Why is Golden SAML newsworthy? On February 25 multiple media outlets reported that US Senator Ron Wyden and ‘security experts’ have asserted that Microsoft’s failure to fix known problems with its cloud software facilitated the massive SolarWinds hack that compromised at least nine federal government agencies.

The Security Assertion Markup Language (SAML), is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. It is frequently used as part of web browser single sign-on (SSO) to cloud based services, for example Microsoft Office 365. As a user opens a Word document on their Office 365 enabled computer SAML is used to check to ensure the users has an Office 365 license. One way of conducting that check is to verify that the users account exists in Active Directory. Using SAML Microsoft Active Directory can be an Identity Provider.

References

https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps