Presented at
DEF CON 33 (2025),
Aug. 8, 2025, 10 a.m.
(45 minutes).
SAMLSmith is the go-to tool for penetrating SAML applications with response forging. An evolution of the original tooling developed for proof-of-concept of SAML response forging in Entra ID, SAMLSmith is the product of continued research on SAML. While far from new, enterprises continue to not prioritize the security of how SaaS applications integrate or understand best practices for securing them. With many factors at play, SAML response forging can range from extremely difficult to near impossible for a SOC to detect. SAMLSmith has a lot of tricks up its sleeve, including: [1] Multiple identity provider response forging. [2] AD FS specific response forging mode. [3] SAML request processing. [4] InResponseTo support. SAMLSmith can be used in several response forging scenarios where the private key material can be obtained. In demonstration of use, we’ll explore using SAMLSmith for performing a Golden SAML attack against AD FS. Further, we’ll demonstrate the use of SAMLSmith that ties into new research around response forging, penetrating certain types of SaaS applications with even more stealth.
Presenters:
-
Eric Woodruff
Eric is the chief identity architect for Semperis. He previously was a member of the security research and product teams. Prior to Semperis, he worked as a security and identity architect at Microsoft partners, spent time at Microsoft as a senior premier field engineer, and spent almost 15 years in the public sector, with 10 of them as a technical manager. He is a Microsoft MVP for security, recognized for his expertise in the Microsoft identity ecosystem. He is a strong proponent of knowledge sharing and spends a good deal of time sharing his insights and expertise at conferences as well as through blogging. He further supports the professional security and identity community as an IDPro member, working as part of the IDPro Body of Knowledge committee.
-
Tomer Nahum
- Security Researcher at Semperis
Tomer is a security researcher at Semperis, where he works to find new attacks and how to defend against them in on-prem identity stacks such as Active Directory, as well as cloud identity systems. He was awarded Most Valuable Researcher (MVR) in 2023 by Microsoft Security Response Center (MSRC).
Similar Presentations: