How the attack allows an attacker to mimic any user.
Semperis has revealed a new attack technique called Silver SAML, which can bypass security in identity systems. The Silver SAML technique allows you to use SAML to launch attacks from an identity provider (for example, Entra ID) against applications that use Entra ID for authentication (for example, Salesforce).
It is noted that Silver SAML is similar to the Golden SAML technique, which was first documented by CyberArk in 2017. The attack vector involves abusing a compatible authentication standard to impersonate virtually any individual in the organization.
The Silver SAML attack is a modification of Golden SAML. The technique works with the Microsoft Entra ID identity provider (formerly Azure Active Directory) and does not require access to Active Directory Federation Services (AD FS). Silver SAML was rated as a medium-level threat to organizations.
Microsoft, following a responsible disclosure on January 2, 2024, said that the issue does not meet the criteria for an immediate solution, but noted that it will take appropriate actions as necessary to protect customers.
Although there is no evidence that Silver SAML is used in real-world environments, organizations are encouraged to use only self-signed Entra ID certificates to sign SAML. Semperis also provided a Proof-of-Concept (PoC) called SilverSAMLForger for creating custom SAML responses.
Semperis explains that organizations can monitor the Entra ID audit logs for changes to PreferredTokenSigningKeyThumbprint in the ApplicationManagement section. It is important to map these events to add service member credential events that relate to the service member. Rotation of expired certificates is a common process, so you need to determine whether audit events are legitimate. Implementing change control processes to document rotation can help minimize confusion during rotation events.
Semperis has revealed a new attack technique called Silver SAML, which can bypass security in identity systems. The Silver SAML technique allows you to use SAML to launch attacks from an identity provider (for example, Entra ID) against applications that use Entra ID for authentication (for example, Salesforce).
It is noted that Silver SAML is similar to the Golden SAML technique, which was first documented by CyberArk in 2017. The attack vector involves abusing a compatible authentication standard to impersonate virtually any individual in the organization.
The Silver SAML attack is a modification of Golden SAML. The technique works with the Microsoft Entra ID identity provider (formerly Azure Active Directory) and does not require access to Active Directory Federation Services (AD FS). Silver SAML was rated as a medium-level threat to organizations.
Microsoft, following a responsible disclosure on January 2, 2024, said that the issue does not meet the criteria for an immediate solution, but noted that it will take appropriate actions as necessary to protect customers.
Although there is no evidence that Silver SAML is used in real-world environments, organizations are encouraged to use only self-signed Entra ID certificates to sign SAML. Semperis also provided a Proof-of-Concept (PoC) called SilverSAMLForger for creating custom SAML responses.
Semperis explains that organizations can monitor the Entra ID audit logs for changes to PreferredTokenSigningKeyThumbprint in the ApplicationManagement section. It is important to map these events to add service member credential events that relate to the service member. Rotation of expired certificates is a common process, so you need to determine whether audit events are legitimate. Implementing change control processes to document rotation can help minimize confusion during rotation events.
