Golden SAML

A new technique called "Golden SAML" lets attackers forge authentication requests and access the cloud-based apps of companies that use SAML-compatible domain controllers (DCs) for the authentication of users against cloud services.

Golden SAML is not a tool that hackers can use to break into secure enterprises but is a technique used after an attacker has compromised a company.

The name of this technique was not chosen at random, being a variation of the "Golden Ticket" attack, also known as Pass-the-Ticket [1, 2]. Discovered and detailed by Benjamin Delpy, the author of the Mimikatz tool, the Golden Ticket attack relies on an attacker compromising a Kerberos server and using it to forge authentication tickets for apps that use that Kerberos server for authentication.

Golden SAML attack is a variation of Golden Ticket attack

The Golden SAML attack is a variation of this attack, but for services that use the SAML 2.0 protocol, an open standard for exchanging authentication and authorization data between parties.

According to the SAML (Security Assertion Markup Language) 2.0 standard, a normal authentication attempt would look like the image below:

Normal SAML authentication

, where:
Identity Provider (IdP) would be an ActiveDirectory Federation Service (AD FS), an Okta service, or any other SAML service a company uses to manage employee identities.
Client would be a user trying to access an app (Service Provider)
Service Provider would be an app, such as an AWS console, vSphere web client, or any other cloud-hosted app.

In a Golden SAML attack, the client would become the attacker, and the authentication process would be modified to take place like in the image below:

Golden SAML attack

According to CyberArk, the company who uncovered the Golden SAML attack, an attacker that has compromised a company's domain controller can use special tools (such as Mimikatz) to extract the IdP's private key that is used to sign authentication tokens.

The attacker would then use this private key to create "golden tickets" for authenticating against any of the company's cloud-based apps, posing as the IdP.

Golden SAML attack can bypass password resets, 2FA

According to CyberArk, the attacker can use the Golden SAML attack from anywhere, and not necessarily from the company's network. Even if the attacker's intrusion has been detected and the company has secured its servers, if they don't change the token-signing private key, the attacker can still access the company's cloud apps using golden SAML tickets from outside its network.

In addition, Golden SAML attacks, due to how the SAML protocol was designed to work, will bypass two-factor authentication (2FA) and will continue to allow attackers to issue forged tickets for user accounts, even after the user has changed his password.

Furthermore, attackers can use Golden SAML attacks to issue tokens "with any privileges they desire and be any user on the targeted application, even one that is non-existent in the application in some cases."

DC admins must rotate token-signing private keys periodically

Shaked Reiner, the CyberArk security researcher who discovered and detailed the attack in a blog post last week, also released a tool that automates the process of creating forged authentication tickets for Golden SAML attacks.

Reiner hopes that companies use the tool to test if their current security systems detect Golden SAML attacks.

The expert recommends that companies change token-signing private key periodically to limit the time an attacker can exploit a stolen key.

Image credits: Nico Ilk, Bleeping Computer, CyberArk