If you are generating SAML signing certificates externally, STOP!!
Once inside the ADFS, the attackers “could steal data, a private key, needed to speak SAML to the business applications, impersonating authentication, and users,” Semperis researcher, Woodruff, said.
Switching to a cloud identity provider was recommended by cybersecurity experts as it promised better private key security.
With Entra ID, the private key used to perform a Golden SAML attack is stored in a way that only Microsoft services can access it, Woodruff explained. While with ADFS, an administrator, or an attacker who has administrator access, can write and read the private key, with Entra ID, only administrators can write it, so an attacker cannot read it.
Silver SAML abuses externally generated certificates
When applications are configured with Entra ID to carry out SAML authentications, generation of the SAML signing certificates is defaulted to Microsoft. Therefore, by default, because you cannot export the private key portion of the certificate, an attacker will never be able to obtain it, Woodruff explained.
However, owing to enterprise policies and requirements, an administrator can sometimes obtain this certificate externally, subsequently uploading the private and public key portion to Entra ID. “It’s the exposure that occurs between wherever and however they got that externally generated certificate and uploaded it to Entra ID that becomes a risk, as it leaves places that an attacker could try to find the private key,” Woodruff added.
Organizations, according to the POC, often tend to generate signing certificates on a client system, through an enterprise public key infrastructure (PKI), such as Active Directory Certificate Services (AD CS), or from an external certificate authority (CA). There on, to add to the risks, they use these certificates through insecure channels such as Teams or Slack, on client machines, leaving the certificates available for export in the machines’ local certificate store, or on web servers, typically running Microsoft Internet Information Services (IIS), leaving the certificates available for export.
