A critical reconnaissance pattern where attackers systematically probe identity federation systems to map authentication architectures, trust relationships, and security controls before launching sophisticated identity attacks.
🔍 Understanding the Breach Pattern
Federation Discovery
Attackers probe to identify whether organizations use ADFS, Okta, Ping, Azure AD, or hybrid configurations, revealing the core identity architecture.
User Path Analysis
Distinguishing which users authenticate via federation versus cloud-native login exposes account-level security posture and potential weak points.
MFA Mapping
Determining whether multi-factor authentication is enforced at the Identity Provider or Service Provider level reveals enforcement gaps attackers can exploit.
Federation Enumeration leverages subtle differences in login prompts, HTTP redirects, error codes, metadata endpoints, and response timing. These signals collectively reveal how identity flows are structured, creating a detailed map for subsequent attacks. Legacy federation endpoints often remain active, providing additional reconnaissance opportunities.
🧠 Attacker Objectives & Intelligence Gathering
Primary Reconnaissance Goals
Confirm federation existence and identify active endpoints
Map which accounts use federated authentication paths
Identify MFA enforcement differences across authentication methods
Discover weaknesses in outdated federation configurations
Advanced Attack Planning
Analyze SAML/OIDC trust-path relationships for potential abuse
Locate legacy Service Provider and Identity Provider endpoints
Build account lists segmented by authentication method
Prepare for federation-based credential and token attacks
Critical Insight: Federation enumeration serves as the gateway to sophisticated identity attacks. Understanding federation architecture is prerequisite knowledge for SAML forgery, trust hijacking, and cross-tenant manipulation attacks.
Different federation authentication paths inadvertently expose account metadata or create behavioral differences that attackers can systematically analyze to map identity infrastructure.
MC-037: Weak Token Signing Certificate Management
Outdated or improperly managed certificates reveal trust chain architectures that attackers can analyze, targeting vulnerable certificate authorities and validation processes.
MC-001: Publicly Exposed User Identifiers
Error messages and system responses leak critical information distinguishing federated accounts from cloud-native authentication, enabling targeted reconnaissance.
MC-075: Weak Network Segmentation for Identity Paths
Detects systematic probing attempts originating from foreign Identity Providers or external tenant environments, indicating reconnaissance of federation trust relationships and cross-organizational identity paths.
DL-039: Federation Claim Manipulation
Captures abnormal interactions with federation trust paths, including unusual claim requests, metadata queries, or attempts to manipulate SAML assertions and OIDC tokens during authentication flows.
DL-001: Unusual External Enumeration Behavior
Identifies large-scale, automated probing of federation endpoints, including metadata discovery requests, error message harvesting, and timing analysis attacks against authentication systems.
Conducted extensive federation reconnaissance preceding the SolarWinds supply chain compromise, mapping identity trust relationships across targeted organizations to enable persistent access mechanisms.
APT29 (ICTAM-001)
Systematically determines MFA enforcement differences between federated and cloud-native authentication paths, targeting accounts with weaker security controls for initial access and lateral movement.
Volt Typhoon (ICTAM-004)
Performs detailed hybrid federation analysis to identify on-premises infrastructure connections to cloud identity systems, enabling long-term persistent access to critical infrastructure environments.
Federation Intrusion Actor (ICTAM-020)
Specializes in targeted metadata probing and federation endpoint discovery, demonstrating advanced understanding of SAML, OIDC, and modern identity federation architectures.