Silver SAML: Active Directory Attack Technique Explained

microsoft security hero approved

In this blog post, you’ll be introduced to Silver SAML, a variant of Golden SAML. Golden SAML is a sophisticated attack technique used by hackers to bypass MFA (multifactor authentication) and gain access to sensitive data. Silver SAML operates similarly, but targets Microsoft Entra ID rather than on-premises Active Directory.  

Thanks to Semperis for sponsoring this post.

What is Golden SAML? 

CyberArk Labs discovered a sophisticated attack vector in 2020 called Golden SAML. It affected SolarWinds and enabled an attacker to create a forged SAML (Security Assertion Markup Language) authentication object that gave the attacker access to authenticate various services that use the SAML 2.0 protocol for SSO (single sign-on) purposes. 

In a Golden SAML attack, an attacker gains unauthorized privileges (a Golden Ticket) to a company’s network. The attack involves an exploit of the ADFS (Active Directory Federation Services) certificate from an on-premises ADFS server.  

Next, they use the certificate to forge SAML authentication responses. This enables the attacker to impersonate any user identity within that organization and acquire access across services (e.g., applications) that use SAML for authentication. 

What is Silver SAML? 

Silver SAML is a variant of Golden SAML. Whereas Golden SAML is known for extracting certificates from ADFS, Silver SAML exploits a more modern system: Entra ID. 

Many companies use Entra ID as their identity provider (IdP) for SaaS (Software as a Service) and other applications. Entra ID provides a self-signed certificate for SAML response signing. This certificate is the target of Silver SAML attacks.  

Entra ID gives organizations the option of using an externally generated certificate (such as one from DigiCert). But using externally generated certificates weakens SAML security.  

Many companies generate certificates through an enterprise PKI (public key infrastructure) and obtain others through an external CA (certificate authority). They then send the certificate files (e.g., PFX, CRT) through insecure communication methods such as Microsoft Teams, email, or Slack.  

If an attacker can obtain the certificate’s private key, they can forge any SAML token response and sign it with the same key that Entra ID holds. The attacker can then gain access to all SSO-enabled apps in the organization. 

Can using Azure Key Vault prevent a Silver SAML attack? 

Azure Key Vault provides a secure repository for storing cryptographic keys, secrets, and certificates. Organizations can use this feature to manage certificates used for SAML signing within their own IdP systems, like Entra ID.  

However, using Azure Key Vault to securely store certificates, private keys, and so on does not eliminate the Silver SAML attack vector. 

SAML and Microsoft Entra ID 

SAML 2.0 is almost 20 years old. In March of 2005, OASIS published the protocol. Since this time, many enterprises have used SAML for federated authentication and to improve and streamline the end-user experience accessing cloud applications. 

Consider the overall steps in a SAML profile flow: an end-user accessing an external application. 

  1. The user browses to a URL for the application (Okta). 
  1. The application developers for Okta generate a SAML request and redirect the user to Entra ID. 
  1. Entra ID ingests and processes the SAML request. 
  1. If the user has not recently authenticated to Entra ID, they are prompted to authenticate. 
  1. The user successfully authenticates with Entra ID. 
  1. Entra ID generates a SAML response and redirects the user back to Okta. 
  1. Okta then verifies the SAML response based on its internal, proprietary identity access system. 
  1. The user gains access to the application. 

A Silver SAML attack, explained 

Researchers at Semperis, the company that discovered Silver SAML, has developed a tool called SilverSAMLForger, which they used this to test their theory of this attack technique. The tool generates a SAML response that mimics (or duplicates) an Entra ID response, signing that response with a provided certificate. 

Semperis detailed an example of a Silver SAML attack in an SP-initiated flow. They used Entra ID as the IdP and Okta as the service provider. 

SP-initiated flow diagram
SP-initiated flow diagram (Image: semperis.com)

Semperis attempted to forge a SAML response for a specific super administrator at a developer M365 tenant. They did not have the user’s password or MFA-configured device. They used information in the Okta enterprise application to determine which URL to use to access the application. They used the Entity ID (URL) as part of the ‘SAML 2.0’-based Single Sign On (SSO) configuration of the app. The ‘Identifier (Entity ID)‘ identifies an application to Microsoft Entra ID. This value must be unique across all applications in an organization’s Microsoft Entra tenant. The default identifier will be the audience of the SAML response for IDP-initiated SSO.

Identifying the signing recipient and audience
Identifying the signing recipient and audience (Image: semperis.com)

They ran SilverSAMLForger.exe with the required parameters, outputting a base64 and URL-encoded string. They then forged this SAML response by copying it to the intercepted HTTPS request and modified the response to the forged one. 

SAML generated response
SAML generated response (Image: semperis.com)

After sending the forged response, they could stop the interception, as they were logged into the application as the super administrator user account. 

Defending against Silver SAML attacks 

On paper, it is startling to see the relative ease with which hackers can use Silver SAML to circumvent previously thought-secure approach vectors in organizations. What steps can you take to protect your applications and resources from Silver SAML attacks? Let’s find out. 

There is one core design decision you can make to protect yourself: Use only self-signed certificates for SAML signing purposes. If you run a GET request using the Microsoft Graph API to view exposed information related to a signing key in Entra ID, you will get something like this. 

Exposed signing key information
Exposed signing key information (Image: semperis.com)

Because the private key material is not exportable, attackers can’t gather the information they need to launch a Silver SAML attack. Global Administrators, Cloud Application Administrators, or any user with delegated rights to application ownership can determine and set which signing keys are available.  

They can also import an external signing key. Audit, audit, audit: keep an eye on all audit logs for your enterprise applications. Any changes to signing keys will be logged. 

A quick tool in your arsenal when auditing your existing applications is to check the displayName attribute. If the certificate is generated by Microsoft, the cert will contain the value CN=Microsoft Azure Federated SSO Certificate. Also, make sure you’re exporting your event log systems to a SIEM of some kind. 

How to import external certificates in Microsoft Entra ID 

You can configure self-signed certificates on an enterprise application (such as Salesforce or Okta) in the Entra admin center. 

  1. Open the Entra ID admin center. 
  1. Navigate to the Enterprise Application. 
  1. Go to Manage > Single sign-on > SAML > SAML Certificates. 
The SAML Certificates section of Microsoft Entra ID SSO Setup and Configuration
The SAML Certificates section of Microsoft Entra ID SSO Setup and Configuration (Image Credit: Michael Reinders/Petri.com)
  1. On the SAML Signing Certificate pane, you can also import your own externally generated certificate for SAML response or assertions. 
The SAML Signing Certificate section - here you can create new certificates and import your own...
The SAML Signing Certificate section – here you can create new certificates and import your own… (Image Credit: Michael Reinders/Petri.com)

Keep an eye on Silver SAML 

Golden SAML and Silver SAML attacks exploit vulnerabilities in the SAML authentication process, posing a significant threat to organizations relying on SAML for SSO. 

Silver SAML focuses on exploiting loopholes in cloud-based identity providers like Entra ID. Both methods enable attackers to forge authentication tokens and gain unauthorized access to sensitive resources.  To mitigate these risks, organizations should implement robust security measures like strong certificate management, MFA, and regular monitoring of authentication logs. 

Additionally, staying updated on the latest SAML vulnerabilities and implementing recommended patches is crucial.