SAML Certificate Security: The Latest Findings and Potential Impacts

Marc Rogers

Recently, the National Security Agency (NSA) published new findings that reference how previously discovered tactics, techniques, and procedures (TTPs) abusing federated authentication could be used in conjunction with on-premises network access to gain broad access across an organization’s applications. The Cybersecurity and Infrastructure Agency (CISA) has also updated its bulletin to include these attacks, and Microsoft has also published insights. This advisory comes on the heels of the recent supply chain attack involving SolarWinds Orion.

The Okta Service has not been impacted by recent supply chain breaches such as SolarWinds Orion, and Okta’s Service and infrastructure have not been compromised, however, there is potential risk for some Okta customers depending on how these customers have configured federated SSO infrastructure using Microsoft Active Directory Federation Services (ADFS) within Microsoft Active Directory or Microsoft Azure Active Directory.

The uncovered attack methodologies involve compromising SAML trust relationships between an organization’s on-premises infrastructure and any independent identity provider. It’s important to recognize that these TTPs themselves “do not constitute vulnerabilities in the design principles of federated identity management, the SAML protocol, or on-premises and cloud identity services,” according to the NSA.

How Okta Protects Your Organization’s SAML Certificates

Okta has built a secure, reliable infrastructure in the cloud that significantly reduces the risk of SAML certificate compromise or theft from within the Okta Identity Cloud. When an Okta customer establishes a new customer tenant, Okta automatically generates a 256-bit AES symmetric key used to encrypt the customer's data, including the SAML signing certificate. These customer-specific keys are encrypted with a master key stored in Amazon's Key Management Service (KMS), as well as a FIPS 140-2 Level 2 certified hardware security module with Level 3 physical protection. This ensures that no system or employee has access to the private keying material.

All virtual machine instances within the production environment can only communicate with each other on specific ports and protocols. No outbound communication is permitted that originates from the production environment and Okta monitors all outbound traffic from Okta’s production environment for anomalies using both proprietary and commercial traffic monitoring and intrusion detection systems. These measures would help prevent the exfiltration of key data by an external attacker.

In addition, Okta performs logging and monitoring of all access to the KMS and customer keys to ensure the access is authorized. Okta's security team has in place measures to be alerted upon detection of an unauthorized or abnormal access by an Okta employee or system to protect against an insider threat.

Finally, Okta operates on a shared security model, and provides customers with detailed visibility into their use of the Okta service through the system log and pre-built connectors to many common SIEM tools. By ingesting their Okta tenant log data and comparing it with authentications in their downstream applications, customers can detect and respond to SAML forgery attacks.

Potential Risk

In Microsoft’s findings, the company describes how the primary attack vector involves attacking the SAML trust relationship established between Federated SSO infrastructure using Microsoft Active Directory Federation Services (ADFS) within Microsoft Active Directory or Microsoft Azure Active Directory. By attacking this trust relationship, the attackers are able to gain access to credentials or key material that allows them to forge trusted SAML authentication tokens.

The SolarWinds Orion breach and these SAML-related TTPs illustrate three key area of focus for security leaders:

1. The importance of defense in depth and the adoption of a Zero Trust security model. Strategies like Zero Trust help organizations put defense in depth models into place that align to a modern work environment and protect against rapidly evolving threats. With credential and identity attacks still increasingly pervasive, identity and device security serve as the foundation for Zero Trust. Pairing these solutions with other critical security technologies -- email, network, data-centric, etc. -- with strong security hygiene practices can provide multiple layers of protection and also provide visibility into potentially risky behaviors.

2. The value of consolidating identity in the cloud. As detailed above, Okta has significant security measures in place to protect customer SAML certificates and keys. However, federation of authentication from less secure on-premises systems can limit some of the protections that Okta has in place, including system hardening, configuration, and monitoring. Okta strongly advises customers to rethink their use of AD within their technology environment as part of their strategy to minimize risk.

3. The significance of the software supply chain. The recent uptick in supply chain-based attacks shows that attackers know and are taking advantage of the weakest aspects of the software supply chain. This becomes particularly poignant when looked at through the lens of critical, on-premises infrastructure such as the Solarwinds Orion infrastructure at the heart of the recent breaches.

What Your Organization Can Do

As your security and technology partner, Okta is committed to helping your organization recognize and respond to potential security compromises. Below are some resources that may be helpful in managing your security posture:

- Consider following the guidance from CISA related to this attack. In particular, your organization may want to check for signs of an intrusion by searching for the published indicators of compromise in your environment.

- Consider reviewing the guidance laid out by NSA in its advisory “Detecting Abuse of Authentication Mechanisms”. Look for unexpected trust relationships that have been added to Microsoft Azure Active Directory. Examine logs for suspicious SAML tokens or anomalous token use, or tokens with attributes that don’t match the normal baseline. Examine logs for the suspicious use of privileged service credentials.

- Consider reviewing all administrator accounts responsible for managing federated SSO to check for unauthorized configuration changes or users.

- If it is determined that unauthorized accounts or other evidence of stolen on-premises Active Directory SAML keys is uncovered, allowing federated authentication to your organization, you should take prompt action as appropriate to your situation, such as ensuring that your organization rotates SAML secrets and privileged account credentials as soon as possible. Further information on how to perform this is available directly from Microsoft in their blog on Microsoft Office 365 and Azure Active directory on-premises compromise.

- Rethink the use of Microsoft AD within your technology environment. It is possible to operate a company without AD and employ a stronger defense in depth security approach, focusing on a Zero Trust posture for the long term. Learn more.

As the threat landscape continues to evolve, it is important that every organization consider their unique technical, operational, and business circumstances in determining their security posture and actions moving forward. Okta and its security team will continue to serve as your partner. Should you have any questions or concerns, please contact

Marc Rogers
Senior Director, Cybersecurity Strategy

Marc Rogers is the Senior Director of Cybersecurity at Okta. With a career that spans more than thirty years, he has been hacking since the 80's and is now a white-hat hacker. Prior to Okta, Marc served as the Head of Security for Cloudflare and spent a decade managing security for the UK operator, Vodafone. He was a CISO in South Korea and co-founded a disruptive Bay Area startup. In his role as technical advisor on “Mr. Robot,” he helped create hacks for the show. And, as if that’s not enough, he also organizes the world’s largest hacking conference: DEF CON. In early 2020, Marc co-founded the CTI League, a global volunteer based organization that defends healthcare during the pandemic.