SAML Token Forgery—known as Golden SAML—represents one of the most devastating identity attacks ever documented. Adversaries forge cryptographically valid SAML tokens without requiring passwords, MFA, session cookies, or any user interaction whatsoever.
Once attackers compromise the SAML signing certificate or gain access to the Security Token Service (STS), they manufacture authentication tokens for any organizational identity: global administrators, service accounts, high-privilege cloud roles, and federated SaaS accounts.
This attack bypasses every layer of identity protection because forged tokens are cryptographically indistinguishable from legitimate ones. The authentication system has no mechanism to detect the forgery.
Attack Scope
No passwords needed
Bypasses MFA completely
Valid cryptographic signatures
Impersonate any identity
Cross-cloud persistence
Attacker Objectives & Capabilities
Identity Impersonation
Forge tokens for any user including global administrators, bypassing all authentication controls through valid cryptographic signatures.
Privilege Escalation
Manufacture high-privilege tokens on demand, gaining administrative access across cloud platforms and federated services instantly.
Persistent Access
Establish long-term foothold across cloud environments, email systems, file storage, admin portals, and API endpoints undetected.
Trust Boundary Pivot
Leverage federated trust relationships to move laterally between organizations, cloud tenants, and SaaS applications seamlessly.
Golden SAML is considered the nuclear option of federation abuse—a single compromised signing certificate grants adversaries god-mode access to your entire identity infrastructure.
Critical Misconfigurations
1
MC-171: Weak Federation Signing Key Protection
SAML signing certificates stored insecurely in file systems, configuration databases, or accessible memory locations. No hardware security module (HSM) protection or proper key rotation policies.
2
MC-172: Over-Permissioned Federation Servers
Federation infrastructure granted excessive privileges including domain admin rights, cloud tenant admin, or unnecessary service account permissions beyond token signing requirements.
3
MC-173: Inadequate Token Signing Monitoring
No security telemetry, alerting, or anomaly detection around certificate access events, signing operations, or unusual SAML assertion generation patterns.
4
MC-111: Incomplete MFA Configuration
While MFA cannot prevent Golden SAML once signing keys are compromised, weak MFA implementations increase likelihood of initial server compromise through phishing or credential theft.
Flags SAML tokens with inconsistent metadata—spoofed issuer identifiers, mismatched audience claims, or assertions targeting services without established trust relationships.
DL-045: Impossible Travel in Federated Tokens
Identifies federated authentication sessions appearing without corresponding login events, or geographically impossible authentication sequences within federation flow timestamps.
DL-024: Unusual API Access Patterns
Forged tokens often produce distinctive API behaviors—accessing unexpected resources, unusual query patterns, or service interactions inconsistent with user's historical profile.
Primary threat group behind SolarWinds supply chain attack leveraging Golden SAML for widespread cloud compromise across government and enterprise targets.
APT41 (ICTAM-004)
Advanced federation abuse techniques targeting multi-cloud environments with sophisticated SAML forgery and cross-tenant lateral movement capabilities.
Emerging Threat Groups
Federation Manipulation Cartel (ICTAM-022)
Underground marketplace distributing automated SAML forgery toolkits, lowering barrier to entry for Golden SAML attacks across criminal networks.
Scattered Spider (ICTAM-010)
Large-scale federated identity hijacking campaigns combining social engineering with technical SAML exploitation for ransomware and data theft operations.
Golden SAML represents the most severe identity infrastructure compromise scenario. Organizations must implement HSM-protected signing keys, comprehensive federation monitoring, and assume-breach detection strategies to defend against this threat.