A Golden SAML attack is a sophisticated post-exploitation technique where an attacker gains unauthorized, persistent access to an organization's cloud services and applications. This attack specifically targets the Security Assertion Markup Language (SAML) protocol, which is the industry standard for Single Sign-On (SSO). By compromising the Identity Provider (IdP), an attacker can forge "golden" tokens that allow them to impersonate any user, bypass Multi-Factor Authentication (MFA), and maintain access indefinitely.

The Mechanics of a Golden SAML Attack

A Golden SAML attack does not exploit a vulnerability in the SAML protocol itself. Instead, it involves the theft of critical secrets from the Identity Provider server (such as Active Directory Federation Services or AD FS). Once the attacker has established a foothold in the internal network with administrative privileges, they follow a specific set of steps to execute the attack:

• Compromising the Identity Provider: The attacker gains administrative access to the server hosting the IdP.

• Extracting the Token-Signing Key: The attacker steals the private key and the associated certificate that the IdP uses to digitally sign SAML assertions.

• Forging SAML Assertions: With the stolen private key, the attacker can use offline tools to generate fake SAML responses. Because these responses are signed with the legitimate key, service providers (such as Microsoft 365, AWS, or Salesforce) will trust them as authentic.

• Bypassing Security Controls: Because the attacker creates the assertion themselves, they can set any attributes they want, including the user identity and group memberships. They can also mark the assertion as having already passed MFA, effectively neutralizing that security layer.

Why Golden SAML Attacks are a Critical Risk

The "Golden" prefix refers to the absolute level of control and persistence this attack provides, similar to a "Golden Ticket" attack in Kerberos. It is considered a critical risk for several reasons:

• Total Impersonation: An attacker can impersonate any user in the organization, including global administrators, without ever knowing the user's actual password.

• MFA Bypass: Because the forged token informs the service provider that MFA has already been completed, the attacker is never prompted for a second factor.

• Persistent Access: As long as the stolen token-signing key remains valid and in use, the attacker can continue to generate new tokens. Changing a user’s password does not stop the attack because the password is never used in the forging process.

• Difficult Detection: Since authentication occurs "offline" on the attacker's machine and the resulting token appears perfectly legitimate to the service provider, traditional logs often fail to flag the activity as malicious.

How to Detect and Prevent Golden SAML Attacks

Defending against Golden SAML requires a focus on protecting the Identity Provider and monitoring for unusual certificate activity.

• Protect the IdP Infrastructure: Treat your SSO and IdP servers as Tier 0 assets—the most critical part of your network. Limit administrative access and use dedicated, hardened systems for management.

• Use Hardware Security Modules (HSMs): Store token-signing private keys in an HSM. This prevents attackers from exporting or stealing the key, even if they compromise the server's operating system.

• Monitor for Anomalous Logons: Look for service provider logs that show a successful login without a corresponding login event in the IdP logs. This discrepancy strongly indicates a forged token.

• Rotate Token-Signing Keys: Regularly rotate the keys and certificates used by the IdP. Frequent rotation limits the "shelf life" of any stolen key.

• Implement Cloud-Based Identity Solutions: Modern cloud-native identity providers often have more robust, built-in protections against key theft than legacy on-premises federation servers.

Common Questions About Golden SAML Attacks

How is a Golden SAML attack different from a standard phishing attack?

In a standard phishing attack, an attacker steals a user's password or session cookie. In a Golden SAML attack, the attacker steals the "master key" of the entire identity system. This allows them to create their own sessions for any user at any time, without needing to interact with individual users.

Can changing my password stop a Golden SAML attack?

No. Because the attacker is using the stolen private key to sign a forged assertion, the user's password is never checked. To stop the attack, the organization must revoke and replace the compromised token-signing certificate and private key.

Does Multi-Factor Authentication (MFA) block Golden SAML?

No. The forged SAML assertion includes a claim that MFA has already been performed. The service provider trusts this claim because it is signed by the stolen private key, so it does not challenge the attacker for an MFA code.

Is Golden SAML related to the SolarWinds breach?

Yes. The Golden SAML technique gained significant public attention during the SolarWinds (SUNBURST) incident, in which attackers used it to move from compromised on-premises environments to the cloud environments of high-profile targets.

How ThreatNG Defends Against Golden SAML Attacks

A Golden SAML attack is a high-impact post-exploitation technique where an attacker compromises an Identity Provider (IdP) to forge authentication tokens. ThreatNG helps organizations defend against this threat by securing the external attack surface that enables the initial breach and by identifying leaked information that facilitates the theft of signing keys. By acting as an external auditor, the platform provides the visibility needed to disrupt the attack lifecycle before an adversary can gain the administrative access required to execute a Golden SAML attack.

External Discovery: Mapping the Identity Attack Surface

ThreatNG begins the defense process through purely external, unauthenticated discovery. It identifies the public-facing components of an organization’s identity infrastructure that an attacker would target first.

• Identification of Identity Providers: The platform automatically discovers subdomains and IP addresses associated with Single Sign-On (SSO) and Identity Provider (IdP) services, such as Microsoft Entra ID or Active Directory Federation Services (AD FS).

• Shadow IT Detection: ThreatNG finds forgotten or unauthorized "Shadow IT" instances where SAML might be misconfigured. These unmanaged side doors often lack the robust security controls found on official corporate systems, making them ideal targets for initial access.

• SaaS Footprint Mapping: Through the SaaSqwatch module, the platform identifies the specific Software-as-a-Service (SaaS) applications that rely on the organization’s SAML tokens, helping security teams understand the full scope of what a compromised token could access.

External Assessment: Validating Initial Access Vulnerabilities

Once identity assets are discovered, ThreatNG conducts in-depth external assessments to determine whether they can serve as stepping stones to reach the internal IdP server.

• BEC and Phishing Susceptibility: ThreatNG provides an A-F security rating for Business Email Compromise (BEC) and Phishing. A poor rating indicates that an organization’s domain is vulnerable to impersonation. For example, if a domain lacks a DMARC "reject" policy, an attacker can send a highly convincing phishing email to an IT administrator. This is a common first step in a Golden SAML attack, since the attacker needs the administrator's credentials to access the server that stores the token-signing keys.

• Subdomain Takeover Validation: The platform identifies "Dangling DNS" records where a subdomain points to an inactive service. A detailed example of this risk is an attacker claiming an abandoned dev-sso.example.com subdomain. They can then host a malicious login page on a legitimate corporate URL, tricking users into providing the high-level credentials needed to access the core identity infrastructure.

• WAF and Security Header Identification: ThreatNG checks whether administrative identity portals are protected by a Web Application Firewall (WAF) or have critical headers such as HSTS. If a portal is missing these defenses, an attacker can use man-in-the-middle (MITM) or protocol downgrade attacks to intercept the very administrative sessions that manage the SAML signing keys.

Continuous Monitoring and Strategic Reporting

Because the threat of identity compromise is constant, ThreatNG provides ongoing vigilance and maps findings to strategic business risks.

• Real-Time Exposure Alerts: The platform monitors the digital presence 24/7 for new subdomains or configuration changes. If a new administrative portal appears without proper security headers, ThreatNG issues a priority alert so it can be secured before an attacker discovers it.

• GRC Framework Mappings: Technical findings are mapped to compliance frameworks like NIST CSF, ISO 27001, and SOC 2. For instance, a vulnerability that could lead to an identity breach is mapped to NIST "Protect" and "Detect" functions, providing the documentation needed for regulatory audits.

• Security Ratings for Brand Damage: ThreatNG translates identity risks into an overall security rating. A downgrade in the "Breach and Ransomware Susceptibility" rating clearly signals to executive leadership that the organization’s identity foundation is at risk.

Investigation Modules: Deep Intelligence for Identity Security

ThreatNG uses specialized investigation modules to hunt for specific data leaks that lead to a Golden SAML attack.

• Sensitive Code Exposure: This module scans public code repositories, such as GitHub, for leaked "Access Credentials." A critical example of ThreatNG helping is identifying a token-signing certificate or a private key that a developer accidentally committed to a public repository. Finding this key externally allows the organization to revoke it before an attacker uses it to forge a Golden SAML token.

• Dark Web Investigation: ThreatNG monitors the dark web for mentions of the organization. This helps determine whether the credentials of an identity administrator are being sold or whether there is chatter about a specific vulnerability in the organization’s SSO implementation.

• Search Engine Exploitation: This facility investigates if sensitive administrative files or configuration guides for the organization’s IdP have been indexed by search engines. This prevents attackers from finding the technical documentation they need to navigate the internal identity network.

Intelligence Repositories: Global Threat Context

The platform is powered by the DarCache, a collection of intelligence repositories that provide context to technical exposures.

• DarCache Rupture: This repository contains compromised corporate email addresses from third-party data breaches. By identifying when an IT or Identity administrator’s email appears in a leak, ThreatNG highlights the accounts that are most likely to be targeted for initial access to the IdP.

• DarCache Vulnerability: This engine correlates discovered SSO technologies with the Known Exploited Vulnerabilities (KEV) list. If the organization uses a version of a SAML-related software with a known flaw, ThreatNG prioritizes that asset for immediate patching.

Cooperation with Complementary Solutions

ThreatNG provides the external "ground truth" that increases the effectiveness of internal security tools through proactive cooperation.

• Complementary Solutions for CASB: ThreatNG identifies unsanctioned SaaS applications through the SaaSqwatch module. This data is then used by a Cloud Access Security Broker (CASB) to ensure that SAML authentication policies are applied to every app in use, not just the ones IT knows about.

• Complementary Solutions for SIEM and XDR: ThreatNG feeds external risk intelligence into a Security Information and Event Management (SIEM) system. For example, if ThreatNG finds an administrator's credentials on the dark web, the SIEM can automatically escalate any internal alerts related to that user’s activity, spotting a Golden SAML attack in progress.

• Complementary Solutions for Identity Threat Detection and Response (ITDR): While ITDR tools monitor for internal lateral movement, ThreatNG serves as the external scout, identifying how the attacker got in. It provides the "Initial Access" data that allows ITDR systems to focus their monitoring on the most likely entry points.

Common Questions About Golden SAML and ThreatNG

Can ThreatNG detect a forged SAML token?

ThreatNG does not monitor internal traffic, so it does not see the token itself. Instead, it identifies the external exposures—like leaked signing keys in code repositories or compromised administrator credentials—that are the necessary ingredients for forging a Golden SAML token.

How does ThreatNG find shadow identity systems?

The platform uses purely external, agentless discovery. By scanning DNS records, global cloud instances, and archived web pages, it finds every portal associated with your organization, even if it was set up by a business unit without the central security team's knowledge.

Why is phishing susceptibility important for Golden SAML defense?

An attacker needs high-level administrative access to steal a token-signing key. Phishing is the most common way to get those credentials. By identifying and fixing domain misconfigurations that enable phishing, ThreatNG stops the attack at the very first step.

What should I do if ThreatNG finds my signing key in a public repo?

If the Sensitive Code Exposure module identifies a key or certificate, you should immediately revoke that certificate in your Identity Provider, rotate the keys, and perform a full audit of your SAML logs to check for unauthorized access.