![Apple's F1 Camera Rig Revealed [Video]](https://www.iclarified.com/images/news/97651/97651/97651-640.jpg)
![Apple Shares New Apple Arcade Ad: 'Hold That Train!' [Video]](https://www.iclarified.com/images/news/97653/97653/97653-640.jpg)
![Apple Shares New Shot on iPhone Film: 'Big Man' [Video]](https://www.iclarified.com/images/news/97654/97654/97654-640.jpg)
_Brain_light_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![[The AI Show Episode 153]: OpenAI Releases o3-Pro, Disney Sues Midjourney, Altman: “Gentle Singularity” Is Here, AI and Jobs & News Sites Getting Crushed by AI Search](https://www.marketingaiinstitute.com/hubfs/ep%20153%20cover.png)
![[DEALS] Internxt Cloud Storage Lifetime Subscription (20TB) (89% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
Golden SAML Attack Let Attackers Gains Control of The Private Keyused by Federation Server
Cybersecurity professionals are facing a sophisticated new threat as Golden SAML attacks emerge as one of the most dangerous yet stealthy techniques targeting enterprise identity infrastructure. These attacks represent a significant escalation in the threat landscape, allowing malicious actors to forge authentication tokens by compromising the private keys used by federation servers to sign Security […] The post Golden SAML Attack Let Attackers Gains Control of The Private Keyused by Federation Server appeared first on Cyber Security News.
Cybersecurity professionals are facing a sophisticated new threat as Golden SAML attacks emerge as one of the most dangerous yet stealthy techniques targeting enterprise identity infrastructure.
These attacks represent a significant escalation in the threat landscape, allowing malicious actors to forge authentication tokens by compromising the private keys used by federation servers to sign Security Assertion Markup Language (SAML) tokens.
Unlike traditional password-based attacks that affect individual accounts, a successful Golden SAML attack can potentially compromise every account within an organization’s identity ecosystem.
The attack derives its name from the notorious Kerberos Golden Ticket attack technique, first described by Benjamin Delpy at Black Hat USA 2014.
CyberArk researchers coined the term “Golden SAML” in November 2017, recognizing the parallel between these two attack methodologies.
While Golden SAML attacks are relatively rare compared to common password spray or phishing attempts, their impact can be devastating when successfully executed.
The technique exploits the fundamental trust relationships that underpin modern single sign-on (SSO) systems, where multiple applications delegate authentication authority to a centralized identity provider.
Microsoft analysts and researchers have identified approximately 20 Golden SAML attacks affecting fewer than ten unique customers over the past 24 months, with detection systems identifying around 50 affected users worldwide per month.
Despite their low frequency, these attacks pose an existential threat to organizational security because they can grant attackers persistent, undetectable access to any SAML-enabled application within the trust boundary.
The attack technique is particularly insidious because it does not rely on exploiting software vulnerabilities but rather leverages the legitimate cryptographic mechanisms that secure federated authentication systems.
The attack vector centers on the compromise of federation servers, particularly Active Directory Federation Services (AD FS) deployments that serve as bridges between on-premises identity infrastructure and cloud applications.
Organizations commonly deploy these hybrid configurations to maintain existing on-premises Active Directory investments while enabling access to cloud services like Microsoft 365, AWS, and other Software-as-a-Service applications.
This architectural pattern creates a critical single point of failure where the compromise of one federation server can cascade across the entire identity trust chain.
Technical Attack Mechanism and Token Forgery Process
The Golden SAML attack unfolds through a sophisticated process that exploits public key cryptography principles underlying SAML authentication.
.gif)
Once attackers gain administrative access to a federation server, they extract the private signing key used to digitally sign SAML tokens.
This process typically requires prior compromise of the federation server through techniques such as credential theft, privilege escalation, or exploitation of server vulnerabilities.
With the stolen private key in hand, attackers can forge SAML tokens for any user identity and embed arbitrary claims and privileges.
The forged tokens include valid digital signatures that pass cryptographic verification by relying party applications, making them indistinguishable from legitimate tokens.
This capability allows attackers to impersonate any user, including high-privilege accounts like domain administrators or service accounts, without triggering traditional authentication mechanisms or multi-factor authentication challenges.
The attack’s stealth characteristics stem from its ability to generate authentic-looking authentication requests that mirror legitimate user behavior.
Unlike stolen tokens that eventually expire, attackers with access to signing keys can generate fresh tokens indefinitely, maintaining persistent access until the compromised keys are rotated.
This persistence mechanism makes Golden SAML attacks particularly dangerous for maintaining long-term access to enterprise environments while evading detection by security monitoring systems that focus on anomalous user behaviors rather than cryptographic token validation.
Power up early threat detection, escalation, and mitigation with ANY.RUN’s Threat Intelligence Lookup. Get 50 trial searches.
The post Golden SAML Attack Let Attackers Gains Control of The Private Keyused by Federation Server appeared first on Cyber Security News.
