BP-003 Federation Metadata Collection

Created by Claudiu Tabac - © 2026 
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Find me on LinkedIn 
Buy Me a Cofee
BP-003 Federation Metadata Collection
🔍 What This Breach Pattern Is
Federation Metadata Collection occurs when attackers systematically retrieve and analyze public or semi-public federation documents to map identity infrastructure. While federation metadata is designed for interoperability, misconfigurations and legacy implementations create reconnaissance opportunities.
SAML Components
Metadata XML documents
Signing certificate fingerprints
Application entity IDs
Service provider endpoints
OIDC Discovery
/.well-known/openid-configuration
Token endpoints
Supported grant types
Authorization URLs
Trust Architecture
Federation trust URLs
Redirect URIs
Claims configuration
Multi-tenant paths
Exposed metadata becomes a blueprint attackers leverage to identify trust chains, detect outdated certificates, and map token infrastructure for subsequent exploitation phases.
🧠 Attacker Objectives & Weaponization
Primary Reconnaissance Goals
Attackers harvest metadata to reverse-engineer federation architecture and identify exploitable trust relationships. This intelligence gathering reveals how identity systems authenticate users, which external IdPs are trusted, and where validation weaknesses exist.
Map federation topology and trust chains
Identify weak or expired signing certificates
Catalog token endpoints for OAuth manipulation
Analyze redirect URIs for phishing vectors
Detect legacy federation integrations
Downstream Attack Enablement
Metadata collection serves as foundational reconnaissance for sophisticated identity attacks. Understanding acceptable claims enables identity forgery, while redirect URI analysis supports credential harvesting campaigns.
This pattern is a precursor to:
Federation hijacking attacks
Claim manipulation and injection
Token forging and replay
Cross-tenant privilege escalation
⚠️ Misconfigurations That Enable BP-003
Access Identity Misconfiguration Universe (IMU)
MC 001-524
MC-037 — Weak Token Signing Certificate Management
Old, expired, or leaked certificates remain trusted in federation configurations, allowing attackers to impersonate legitimate identity providers. Organizations fail to rotate certificates on recommended schedules or properly revoke compromised keys.
MC-146 — Inconsistent Identity Trust Boundaries
Multiple federation paths expose varying metadata sets with different security postures. Legacy integrations coexist with modern implementations, creating inconsistent trust models that attackers probe for weakest-link access.
MC-075 — Weak Network Segmentation for Identity Paths
Federation endpoints lack proper network controls and become globally accessible. Metadata URLs respond to unauthenticated requests without rate limiting, enabling systematic harvesting of identity infrastructure details.
🛡️ Detection & Defense Architecture
Detection Signals
DL 001-040
DL-027 — Cross-Tenant Enumeration Anomaly
Detects probing activity from foreign tenants or external IdPs attempting to map federation relationships.
DL-039 — Federation Claim Manipulation
Captures abnormal interactions with federation trust paths and suspicious claim processing patterns.
DL-001 — Unusual External Enumeration Behavior
Flags excessive metadata retrieval, scraping patterns, or automated harvesting attempts.
Identity Threat Detection Logic Library(ITDLL)
Attack Chain Positioning
Federation metadata collection occurs during the earliest reconnaissance phases, establishing the foundation for complex identity attacks. Understanding this positioning helps security teams implement preventive controls before exploitation.
1
Stage 1: Reconnaissance
Attackers discover and catalog federation endpoints, metadata URLs, and trust relationships.
2
Stage 2: Identity Enumeration
Harvested metadata enables targeted enumeration of users, claims, and authentication flows.
3
Downstream Attacks
Intelligence supports SAML forgery, token replay, federation hijack, and cross-tenant phishing.
Identity Attack Chain (IAC)
🎭 Threat Actor Landscape & Executive Context
DarkHalo (ICTAM-006)
SolarWinds-model SAML abuse specialists who weaponize federation metadata for supply chain compromise and downstream token forging.
APT29 (ICTAM-001)
Nation-state actors conducting deep federation reconnaissance to map organizational identity infrastructure and trust relationships.
Volt Typhoon (ICTAM-004)
Hybrid threat groups specializing in trust-path mapping across cloud and on-premises identity systems.
Federation Intrusion Actor (ICTAM-020)
Specialized operators exploiting SAML and OIDC metadata for identity-centric attacks and cross-tenant pivoting.
Related Executive Threat Storylines
ETS 001-010
ETS-004 — OAuth Weakness → Identity-Level Compromise
ETS-009 — Privileged Session Hijack → Automated Exfiltration
Threat Actor Models (ICTAM)
Executive Threat Storylines (ETS)
About  
Created by Claudiu Tabac — © 2026
Find me on LinkedIn
Buy Me a Coffee
This framework is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Navigation
Home
Back to Category 1
Back to IBP