Forging the token that says trust me (Golden SAML)
Steal your AD FS token-signing key and an attacker can mint SAML tokens for anyone, to any federated app, bypassing passwords and MFA. Here is Golden SAML, and how to limit the blast radius.
If you hold the key that signs trust, you do not need anyone’s password. You sign your own way in.
What it is
In SAML federation, AD FS signs authentication tokens with a token-signing private key. An attacker who compromises AD FS and extracts that key can forge valid SAML tokens for any user, with any claims, to any federated application, including cloud services, with no password and no MFA. This was a hallmark of the SolarWinds intrusion. It is T1606.002 (forge SAML tokens) with T1556 (modify authentication process).
Why it works
Relying parties trust anything signed by that key, so a forged token is indistinguishable from a real sign-in, and rotating user passwords does nothing. It is the federation root of trust.
How to detect it
Look for SAML logins with no corresponding AD FS authentication event, tokens with unusual claims or lifetimes, and access to federated apps without an interactive sign-in.
The fix that holds
Protect AD FS as Tier 0, rotate the token-signing certificate (twice, to fully cycle) on suspicion, and monitor for tokens without a matching AD FS event. Prefer modern authentication with hardware-protected keys, and shrink the federation trust surface where you can.
Practice it
We built a Golden SAML scenario in GraphLattice Range so teams learn why the signing key is Tier 0 and how to respond when it may be stolen.