The Mechanics of Golden SAML

The recent compromise at SolarWinds and subsequent targeting of numerous other organizations have focused attention on an Active Directory Federation Services (ADFS) bypass technique called “Golden SAML.” In a golden SAML attack, attackers can gain access to any application that supports SAML authentication (e.g. Azure, AWS, etc.) with any privileges and be any user on the targeted application. This technique was first disclosed by CyberArk in 2017.

What is SAML?

The SAML protocol, or Security Assertion Markup Language, is an open standard for exchanging authentication and authorization data between an identity provider and a service provider. SAML enables Single-Sign On (SSO), meaning users can log in once, and those same credentials can be reused to log into other service providers.

How does it work, you ask? The basic construct is that when a client tries to authenticate with a service provider, they are redirected to an authentication server. Once authenticated, they are provided a cryptographically-signed response that the client provides back to the service provider. Once received, the response is validated thanks to the magic of cryptography.

Here is a nice flow chart from Sygnia:


(Image credited to Sygnia)

Enter: Golden SAML

As with anything, there are some inherent weaknesses in the protocol that can be exploited. The “Golden SAML” attack vector enables an attacker to create a forged SAML “authentication object” and authenticate across every service that uses SAML 2.0 protocol as an SSO mechanism.

This attack vector was first described back in a 2017 blog post by CyberArk. Basically, there are a few things an adversary needs to figure out in order to  use this technique. First, they need access to the certificates used to sign the SAML objects. This generally means they need a foothold into the network and privileged access to extract the certificates. Multiple tools are available that will help extract the needed certificates, including certutil.exe, PowerShell, ADFSDump, and of course Mimikatz.

Sygnia has another great visual of what a Golden SAML attack looks like.

(Image credited to Sygnia)

Now that the adversary has access to the extracted certificates, they can impersonate virtually any user and privilege within an organization. They can also do it from anywhere in the world. Additionally, the adversary will be able to bypass Multi-Factor Authentication (MFA) protections because the actual authentication server is being removed from the process entirely.

Mitigations

Always follow best practice guides and recommendations. If you are using Active Directory Federated Services (ADFS), Microsoft provides an excellent resource for securing it. Considering how critical ADFS is, implementing as many security measures as possible is highly recommended. In particular, leverage a Hardware Security Module (HSM) for generating and storing certificates. HSM has the added benefit of securely storing keys and all cryptographic functions on a physical device, negating the ability for an adversary to extract the private key. Other mitigations include correlating login events with corresponding ADFS authentication events and identifying events involving the export of signing certificate from the ADFS server.

 

Sources:
  1. https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
  2. https://www.sygnia.co/golden-saml-advisory
  3. https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps