Skip to main content
Support
AdvancedT1606.002

Golden SAML & Federation Attacks

By stealing the ADFS token-signing certificate, attackers forge SAML tokens to impersonate any user in Entra ID -- the technique behind the SolarWinds/APT29 attack that compromised major government agencies.

Many organizations use Active Directory Federation Services (ADFS) to let their on-premises users sign into cloud services like Microsoft 365 and Azure. ADFS works by issuing signed SAML tokens -- digital documents that say "this user is who they claim to be." These tokens are signed with a special certificate called the token-signing certificate. If an attacker steals this certificate -- which is stored on the ADFS server -- they can forge SAML tokens for any user in the organization. This means they can sign in as the CEO, a Global Admin, or any other user without knowing their password. This attack is called Golden SAML. It was famously used in the SolarWinds attack (2020) by the Russian APT29 (Cozy Bear) group to compromise U.S. government agencies and major corporations.

In a medieval kingdom, the royal seal authenticates all official decrees. Anyone with the seal can issue orders as the king. Golden SAML is like stealing the royal seal (ADFS token-signing certificate): once you have it, you can forge official decrees (SAML assertions) claiming to be anyone -- the king, a general, or a diplomat. The recipients (Entra ID, cloud apps) trust the decree because the seal is genuine. The forgery survives even if the king changes his password, because the seal -- not the password -- is what grants access.

Try It Yourself

Key Takeaways

  1. Golden SAML forges SAML tokens using a stolen ADFS certificate -- bypassing MFA and surviving password resets.
  2. The SolarWinds/APT29 attack demonstrated Golden SAML at scale against government and enterprise targets.
  3. The ADFS token-signing certificate private key is the crown jewel in federated environments.
  4. Migrating from ADFS to Entra ID cloud-native authentication eliminates the Golden SAML attack surface entirely.
  5. Detection relies on correlating SAML token issuance with ADFS server event logs to spot forged tokens.
Why Should I Care?

Golden SAML is one of the most devastating cloud identity attacks because it provides persistent, stealthy access to every cloud resource. The SolarWinds breach proved that nation-state actors actively exploit this technique against high-value targets.

Related Topics

Hybrid Identity & Azure AD ConnectEntra ID FundamentalsGolden & Silver Ticket AttacksAD Persistence Techniques
Sources
Entra ID Security Hardening
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org