New silver SAML attack bypasses gold SAML defenses in identity systems

Silver SAML Attack

Cybersecurity researchers have unveiled a new attack technique called Silver SAML this can even be successful in cases where measures against Golden SAML attacks have been applied.

Silver SAML “enables the exploitation of SAML to conduct attacks from an identity provider such as Entra ID on applications configured to use it for authentication, such as Salesforce,” according to Semperis researchers Tomer Nahum and Eric Woodruff said in a report shared with The Hacker News.

Golden SAML (abbreviation of Markup language for security statement) used to be first documented by CyberArk in 2017. The attack vector, in a nutshell, involves abusing the interoperable authentication standard to impersonate virtually any identity in an organization.

It is also similar to the Golden Ticket Attack in that it gives attackers the ability to gain unauthorized access to any service in a federation with any privileges and to stealthily persist in this environment.


“Golden SAML introduces to a federation the benefits that golden ticket provides in a Kerberos environment – ​​from gaining any kind of access to stealthily maintaining persistence,” security researcher Shaked Reiner noted at the time.

Real world attacks using this method are rare First registered use being the compromise by Solar winds infrastructure to gain administrative access by forging SAML tokens using compromised SAML token signing certificates.

Golden SAML was also weaponized by an Iranian threat actor codenamed Peach Sandstorm during a March 2023 intrusion to access an unnamed target’s cloud resources without the need for a password, Microsoft revealed in September 2023.

Silver SAML attack

The latest approach is a variation on Golden SAML that works with an identity provider (IdP) such as Microsoft Entra ID (formerly Azure Active Directory) and does not require access to the Active Directory Federation Services (AD FS). It has been rated as a moderate to severe threat to organizations.

“Within Entra ID, Microsoft provides a self-signed certificate for signing SAML responses,” the researchers said. “Alternatively, organizations can choose to use an externally generated certificate, such as Okta’s. However, that option comes with a security risk.”

“Any attacker who obtains the private key of an externally generated certificate can spoof any SAML response and sign that response with the same private key that Entra ID holds. With this type of spoofed SAML response, the attacker can then gain access to the application – like any user.”

Following a responsible disclosure to Microsoft on January 2, 2024, the company said the issue does not meet its requirements for immediate service, but noted that it will take appropriate action as necessary to protect customers.


While there is no evidence of Silver SAML being exploited in the wild, organizations are required to use only Entra ID self-signed certificates for SAML signing purposes. Semperis has also made available a proof-of-concept (PoC). SilverSAMLForger to create custom SAML responses.

“Organizations can monitor the Entra ID audit logs for changes to PreferredTokenSigningKeyThumbprint under ApplicationManagement,” the researchers said.

“You must correlate these events with adding service principal reference events related to the service principal. The rotation of expired certificates is a common process, so you must determine whether the audit events are legitimate. Implement change management processes to document the rotation can help minimize confusion during rotation events.”

#silver #SAML #attack #bypasses #gold #SAML #defenses #identity #systems

Notify of
Inline Feedbacks
View all comments
Previous Post
Ivanti Connect Secure

Five Eyes agencies warn against active exploitation of vulnerabilities in Ivanti Gateway

Next Post

A risk-based strategy for the highest ROI

Related Posts