Information Security Stack Exchange is a question and answer site for information security professionals. It only takes a minute to sign up.
Sign up to join this community
Anybody can ask a question
Anybody can answer
The best answers are voted up and rise to the top
I read this answer around mitigation and detection of the Golden SAML attack but I wanted to investigate further about how preventable it is and how an organization could nullify an attack before it happens.
My understanding here is that the entire ability of Golden SAML to be a threat is through compromising a trusted Identity Provider. Once that entity is compromised, an attacker can generate a SAMLResponse that is signed/encrypted by the private key of the compromised host, thus tricking the Service Provider (with the public key to decrypt/authenticate) into believing that the response comes from a valid provider.
Two questions arose out of this:
- Where does an SP get its list of usable public keys to compare against the SAML Response from an IdP?
Is this something like a browser CA where the browser developers control who’s trustworthy? (In this case, the Service Provider would control) and there’s a universal list with every (browser) service provider?
Or is it controlled by the actual SP admin and part of the SAML Configuration agreed upon between the SP and IdP?
Or maybe a third option I haven’t thought of.
- Depending on the answer above, what approaches should be taken besides “secure your IdP against attacks and compromise”?
Can the IdPs rotate their keypairs every so often and update the registered public key with the SP?
Can there be a separate “re-verify” step between IdPs and SPs every so often, where a trusted entity ensures that the IdP is who they say they are through another method besides public/private key exchange (in line with bullet point one above). One of the reasons I thought of this was HashiCorp’s vault unseal where multiple keys are required. Maybe the “multiple keys needed” in this scenario to re-verify are other mechanisms than the IdP/SP exchange, like a third party verifying IdP identity.