Golden SAML.

An identity-attack technique that steals a federation IdP's token-signing private key (typically from AD FS) and forges arbitrary SAML responses, granting persistent, MFA-bypassing access to any federated service. Относится к категории Идентификация и доступ в кибербезопасности.

An identity-attack technique that steals a federation IdP's token-signing private key (typically from AD FS) and forges arbitrary SAML responses, granting persistent, MFA-bypassing access to any federated service.

Golden SAML was disclosed by CyberArk Labs in 2017 and shot to prominence as a documented technique used in the 2020 SolarWinds-Sunburst intrusions. The attack assumes a federated identity model: an on-premises identity provider (most often Microsoft AD FS) signs SAML responses with a private token-signing key whose public counterpart is trusted by every relying party — Microsoft 365, AWS, Salesforce, Workday, and so on. An attacker who reaches AD FS with sufficient privilege (Domain Admin, AD FS service account) can extract that private key and then sign SAML responses for any user, any group memberships, with no need to log in to the IdP at all. Because the resulting tokens are cryptographically valid, MFA prompts, password resets, and account lockouts are bypassed; revocation requires rotating the token-signing certificate and re-establishing trust with every relying party. Defensive controls focus on hardening AD FS (HSM-backed signing keys, restricted Tier-0 access, monitoring of `Microsoft-Windows-Security-Auditing` 410/411 events), migrating to cloud-native IdPs (Entra ID with no AD FS), and detecting anomalous SAML assertions at relying parties (e.g. impossible NameID claims, unfamiliar issuers, sudden first-seen IPs).

Защита от Golden SAML обычно сочетает технические меры и операционные практики, как описано в определении выше.

Распространённые альтернативные названия: Golden SAML attack.