Adrian Johnson
TLDR:
- Silver SAML attack allows attackers to forge any SAML response to enter Entra ID.
- Attackers can exploit Entra ID using applications, posing a severe risk to organizations.
The recent discovery of the Silver SAML attack poses a significant threat to organizations using Entra ID for SAML authentication. While Entra ID is commonly used by organizations for authenticating into applications, the self-signed certificate used for response signing can be exploited by attackers. Unlike the Golden SAML attack, which extracts signing certificates from Active Directory Federation Services, the Silver SAML attack does not rely on ADFS in Microsoft Entra ID. Instead, if an attacker gains access to the private key of an externally generated certificate, they can forge any SAML response and gain unauthorized access to applications as any user.
The main issue with the SAML and signing certificates lies in the mismanagement of certificates by organizations. Externally signed certificates weaken SAML security, and sending certificate PFX files and passwords over insecure channels further exacerbates the vulnerability. By intercepting and replacing the SAML response, attackers can exploit Entra ID using tools like “SilverSAMLForger” to log in as a targeted user. Organizations are advised to take proactive measures to secure their SAML authentication systems and ensure the safe management of signing certificates to prevent potential attacks.
