In the shadowy landscape of cybersecurity, most organizations wrestle with threats as old as the internet itself: brute-forced passwords, relentless phishing campaigns, and credential stuffing attacks. Yet, among these familiar dangers, a more insidious risk quietly stalks even the most security-conscious enterprises: the Golden SAML attack. Despite being mentioned far less frequently than ransomware or Trojan horses, the Golden SAML assault has, in recent years, become a chilling symbol of how trust—once established—can be weaponized against its creator.
This is not a future problem, nor merely a theoretical one. As of June 2025, Microsoft attests to only 20 incident reports involving Golden SAML across fewer than ten organizations in the past two years, but the impact of even a single successful breach reverberates throughout the victim’s digital infrastructure. What makes this style of attack so devastating? And—crucially—what steps can Windows, Azure, and hybrid network administrators take to prepare for a world where attackers hunt the very trust anchors of enterprise identity?
Golden SAML first emerged from the threat-research labs of CyberArk in 2017. The technique borrows conceptually from the infamous “Golden Ticket” attacks against Kerberos but extends its reach into the sprawling, federated world of SAML (Security Assertion Markup Language) authentication. Where Kerberos Golden Ticket attacks rely on forging authentication tickets using a compromised Kerberos key, Golden SAML targets the breach and theft of a SAML token-signing private key—most commonly from federation infrastructure like Active Directory Federated Services (AD FS).
SAML is foundational in enterprise single sign-on (SSO) environments. It allows users to authenticate once—with an Identity Provider (IdP) such as Microsoft Entra ID or on-prem AD FS—and use that assertion (a SAML token) to access a myriad of cloud and on-premises resources, including email, business intelligence suites, travel and expense platforms, and proprietary business apps. The security of this entire arrangement depends on one critical piece: the private signing key, which the IdP jealously guards. When applications—known as “relying parties”—trust this signature, they accept the identity and entitlements as gospel.
But what happens if an attacker stealthily acquires this private key? In short, all bets are off.
Once inside, the attacker surreptitiously exports the token-signing certificate’s private key from the federation server. In AD FS environments, event logs such as Event IDs 4103 and 4104 can reveal certificate export activity. Other detection methods include monitoring for rare commands like
With this key, the intruder can now forge SAML authentication tokens—at any time, from anywhere. These tokens are cryptographically identical to ones created by the legitimate IdP. Any service that relies on SAML for authentication, including Microsoft 365, Azure, AWS, Google Workspace, or on-premises enterprise applications, will accept these tokens as legitimate. The attacker can now impersonate not just ordinary users, but administrators, C-suite executives, incident responders—even accounts that don’t exist or haven’t logged in for years.
To compound the threat, these tokens are created outside of any normal authentication workflow. There’s no corresponding sign-in entry in the logs of the actual IdP; no MFA prompts are triggered. Most detection and response systems simply see valid logins from trusted tokens.
Key points of concern:
Among the most disturbing trends:
Organizations must therefore approach federation server security as an existential risk:
While only a small number of incidents have come to light, the catastrophic potential is undeniable. Preparation, automation, and relentless operational discipline—paired with a readiness to modernize away from legacy sign-on architectures—offer the best defense. For organizations on the Windows and Microsoft cloud frontier, recognition of this threat is not just prudent. It is absolutely essential to survival in the modern threat landscape.
Source: GBHackers News Golden SAML Attack: How Attackers Gain Control of Federation Server's Private Key
This is not a future problem, nor merely a theoretical one. As of June 2025, Microsoft attests to only 20 incident reports involving Golden SAML across fewer than ten organizations in the past two years, but the impact of even a single successful breach reverberates throughout the victim’s digital infrastructure. What makes this style of attack so devastating? And—crucially—what steps can Windows, Azure, and hybrid network administrators take to prepare for a world where attackers hunt the very trust anchors of enterprise identity?
Golden SAML first emerged from the threat-research labs of CyberArk in 2017. The technique borrows conceptually from the infamous “Golden Ticket” attacks against Kerberos but extends its reach into the sprawling, federated world of SAML (Security Assertion Markup Language) authentication. Where Kerberos Golden Ticket attacks rely on forging authentication tickets using a compromised Kerberos key, Golden SAML targets the breach and theft of a SAML token-signing private key—most commonly from federation infrastructure like Active Directory Federated Services (AD FS).SAML is foundational in enterprise single sign-on (SSO) environments. It allows users to authenticate once—with an Identity Provider (IdP) such as Microsoft Entra ID or on-prem AD FS—and use that assertion (a SAML token) to access a myriad of cloud and on-premises resources, including email, business intelligence suites, travel and expense platforms, and proprietary business apps. The security of this entire arrangement depends on one critical piece: the private signing key, which the IdP jealously guards. When applications—known as “relying parties”—trust this signature, they accept the identity and entitlements as gospel.
But what happens if an attacker stealthily acquires this private key? In short, all bets are off.
Anatomy of a Golden SAML Attack
The process unfolds in chilling precision. First, the attacker must compromise the federation server. This is not a trivial feat; it almost always requires administrative rights over the operating system or domain-level privileges. Such access is often gained through multi-stage intrusion campaigns exploiting unpatched vulnerabilities, lateral movement after phishing, or supply chain attacks that plant malware capable of privilege escalation.Once inside, the attacker surreptitiously exports the token-signing certificate’s private key from the federation server. In AD FS environments, event logs such as Event IDs 4103 and 4104 can reveal certificate export activity. Other detection methods include monitoring for rare commands like
Export-PfxCertificate or certutil -exportPFX, and alerting on unexpected configuration changes (Event ID 307 and related 510).With this key, the intruder can now forge SAML authentication tokens—at any time, from anywhere. These tokens are cryptographically identical to ones created by the legitimate IdP. Any service that relies on SAML for authentication, including Microsoft 365, Azure, AWS, Google Workspace, or on-premises enterprise applications, will accept these tokens as legitimate. The attacker can now impersonate not just ordinary users, but administrators, C-suite executives, incident responders—even accounts that don’t exist or haven’t logged in for years.
To compound the threat, these tokens are created outside of any normal authentication workflow. There’s no corresponding sign-in entry in the logs of the actual IdP; no MFA prompts are triggered. Most detection and response systems simply see valid logins from trusted tokens.
Why Are Golden SAML Attacks So Dangerous?
Unlike malware or ransomware, Golden SAML attacks do not rely on software vulnerabilities. They exploit the inherent trust baked into SAML authentication. The attacker is not breaking the system—they are using it exactly as designed.Key points of concern:
- Entire Organization Compromised: With the stolen key, an attacker can issue tokens for any user, at any privilege level—rendering account-based segmentation virtually meaningless.
- Persistence: Token-signing keys typically have lifespans of years. If an attacker is not detected by the time the key is rotated, they can maintain stealthy access for an indefinite period.
- Detection Difficulty: Since the SAML tokens appear valid, standard anomaly detection and SIEM rules are easily circumvented. Only the most sophisticated baselines—such as alerting on “impossible travel” (logins from geographically impossible locations) or anomalous token lifespans—offer a fighting chance at catching the intrusion.
- Immediate Data Exfiltration: Attackers observed by CISA often target high-value email inboxes, SharePoint sites, and business intelligence dashboards—stealing sensitive data via perfectly valid API calls.
Detection—A Relentless Cat-and-Mouse Game
Organizations that want to identify and prevent Golden SAML attacks must adopt a defense-in-depth strategy. Key detection methods include:- Correlating SSO Events: Cross-reference SAML token logins at the service provider (e.g., Azure AD) with corresponding authentication events in AD FS or domain controllers. Absence of the expected Windows event IDs (e.g., 4769, 1200, 1202) for a successful login may suggest token forgery.
- Certificate Export Alerts: Monitor all attempts to export certificates from federation servers. Event IDs 4103/4104, as well as Sysmon logs for unexpected access to the WID SQL instance, can give early warning.
- Irregular SAML Token Traits: Most organizations set SAML token validity at 1 hour. Look for tokens with abnormally long lifespans, odd issuance-to-use timestamps, or tokens where no login event is recorded around the time of use.
- Configuration Integrity Monitoring: Use centralized logging to track all trust relationship changes, unexpected additions of service principal credentials, and modifications to federation trust settings inside Azure AD and other cloud environments.
Case Studies and Real-World Impact
The SolarWinds incident remains the most high-profile example of Golden SAML in action. Advanced persistent threat (APT) actors used elevated access to harvest AD FS signing keys and forge tokens, moving laterally in victim environments and quietly exfiltrating data with administrative impunity. CISA has since responded to numerous copycat campaigns, with attackers creating unauthorized tokens and accessing critical systems from hidden vantage points.Among the most disturbing trends:
- Adversaries prioritizing email accounts of IT admins and incident responders, not end-users, to maximize access and cover tracks.
- The use of compromised SAML tokens for lateral movement and privilege escalation that crosses the cloud/on-premises boundary.
- Attackers establishing backdoors via dormant or newly minted service principals, adding or escalating OAuth permissions, and quietly modifying or creating new federation trusts out of sight of the main IT audit trail.
Prevention—A Multi-Layered Approach
Immediate Steps
For organizations unable to migrate entirely to cloud-native identity providers such as Microsoft Entra ID, the following measures are critical:- Harden Federation Servers: Restrict administrative access to AD FS. Deploy strict network segmentation, enforce just-in-time admin access, and avoid exposing AD FS to the public internet.
- Token-Signing Key Protection: Store private keys within Hardware Security Modules (HSMs) whenever feasible, encrypt backups, and periodically audit for any certificate export events.
- Regular Key Rotation: Reduce the lifespan of token-signing certificates; this limits the attacker’s window of opportunity, even if a key is compromised.
- Comprehensive Logging: Ensure centralized, immutable, and regularly reviewed logs for all AD FS activity, configuration changes, and cloud sign-in events.
Strategic Transformation
- Embrace Cloud Identity Providers: Migration to Microsoft Entra ID (formerly Azure AD) or comparable cloud-only IdPs removes the need for sensitive on-prem token-signing keys and leverages Microsoft’s own Zero Trust, anomaly detection, and MFA enforcement at scale.
- Zero Trust Architecture: Assume all network perimeters are breached and design access policies based on device health, user risk, and contextual signals, not static trust zones.
- Hybrid Environment Isolation: Rigorously separate on-prem and cloud workloads. Prevent a compromise of one realm (e.g., on-prem AD FS) from cascading into cloud-only services.
- MFA and Conditional Access: Enforce strong MFA policies directly via cloud identity platforms and extend these to all federated and privileged accounts.
Cloud-First Advantages
Microsoft Entra ID provides a compelling response to the Golden SAML risk. By shifting trust away from vulnerable on-prem components toward cloud-controlled infrastructure, organizations can:- Offload responsibility for signing key management to highly secure, Microsoft-managed HSMs, reducing threat surface dramatically.
- Gain the benefit of continuous monitoring, machine learning-based anomaly detection, Impossible Travel alerts, and integration with tools like Microsoft Entra ID Protection and Defender for Identity.
- Leverage features like OIDC federation, seamless partner onboarding, policy-driven access, and automatic session management, thereby reducing dependency on static secrets or passwords.
The Limits of Detection—Why Proactivity Is Essential
Golden SAML attacks are, by their very nature, invisible to most traditional security tools. They do not require vulnerabilities to succeed, only administrative missteps or failures in operational security. Once the private key is lost, all subsequent detections are, at best, forensics—useful for investigation, but too late to prevent major damage.Organizations must therefore approach federation server security as an existential risk:
- Out-of-band communication plans for incident response teams must be prepared in advance.
- “Assume breach” principles and operational plans for certificate rotation and rapid re-federation with relying party applications must be drilled and documented.
- Visibility into configuration changes, federation relationships, and all instances of certificate export should be maintained continuously.
Critical Analysis: Strengths and Weaknesses of Current Defenses
Strengths
- Rapid Evolution of Cloud IdPs: Microsoft, Okta, and other IdPs have continued to add robust safeguards, anomaly detection, and conditional access, limiting attackers’ opportunities for persistent access via forged tokens.
- Logging and Forensics Maturity: Tools like Sparrow and Hawk provide granular visibility into service principal credential changes, federation trust relationships, and OAuth consent flows—critical for post-incident analysis.
- Hardened Operational Practices: Enterprises that regularly rotate signing keys, perform privilege audits, and encrypt federation server backups reduce their “blast radius.”
Risks and Challenges
- Legacy Infrastructure: Many enterprises cannot immediately deprecate on-prem AD FS, creating an ongoing window of risk. Hybrid AD environments are particularly vulnerable as attacks cross boundaries.
- Human Error and Configuration Drift: Even with technical mitigations, lapses in procedure (such as leaving certificates unencrypted or delegating excessive admin rights) remain ripe targets for attackers.
- Detection Gaps: Since valid tokens are used, only indirect signals—such as unusual login locations, rarely used service accounts, or token anomalies—can betray an attacker’s presence.
- Attack Automation and APT Interest: Recent incidents show that state-sponsored attackers are willing to invest months into establishing deep, stealthy footholds via Golden SAML.
The Road Ahead: Recommendations for Windows Administrators
Golden SAML attacks exemplify a broader trend: attackers are increasingly shifting from the periphery (phishing, malware) to the very core of organizational trust. For Windows and Azure admins, this raises non-negotiable priorities:- Begin or accelerate migration off on-prem federation servers.
- Inventory and audit all federation trusts and signing certificates—know exactly where your trust anchors are, and who can access them.
- Employ Microsoft Entra ID Protection, Defender for Identity, and Azure Sentinel to monitor for both known and emerging SAML manipulation tactics.
- Educate administrators and IR personnel to recognize subtle signs of token abuse, such as rare service principal usage or configuration drift.
- Join information-sharing forums and remain abreast of emerging forensic techniques, as the community often detects new APT tricks before official advisories are released.
Conclusion: A Call for Vigilance
Golden SAML attacks are not merely a technical oddity—they are proof that digital trust is both a fortress and, sometimes, a fatal weakness. In a world that increasingly depends on federated authentication and seamless digital boundaries, the theft of a single key can grant the keys to the entire kingdom.While only a small number of incidents have come to light, the catastrophic potential is undeniable. Preparation, automation, and relentless operational discipline—paired with a readiness to modernize away from legacy sign-on architectures—offer the best defense. For organizations on the Windows and Microsoft cloud frontier, recognition of this threat is not just prudent. It is absolutely essential to survival in the modern threat landscape.
Source: GBHackers News Golden SAML Attack: How Attackers Gain Control of Federation Server's Private Key