SpAML: Spoofing Users in Azure AD With SAML Claims Transformations

For those that believe SAML is dead, they should take a look at the Azure AD Application Gallery. While the authentication standard finished baking almost two decades ago, it’s still a staple for integration of applications with Azure AD.

The article discusses the responsible disclosure of a proof case related to NameID spoofing in Azure AD. SAML is a popular authentication standard for integration of applications with Azure AD, and it is easy to spoof a user within a SAML response, allowing an attacker to impersonate a highly privileged user in the target application. The NameID is a unique attribute that represents the user within the application, and Azure AD defaults to using the Email Address format for the NameID. The article provides an example of how an attacker can use a malicious transform to spoof a user. Unfortunately, the ability to detect a transform like this is difficult, as normal channels do not expose the data needed.

The author initially opened a case with MSRC on August 30th, 2022, and received a response on October 10th, 2022 that the behaviour was considered to be by design. A support case was then opened with Microsoft on October 20th, 2022, but the initial response from the SE was inaccurate. After providing additional clarity, the SE scheduled a call for November 14th, 2022 at 9:30am EST, but did not call at that time. The SE then emailed and scheduled a call for November 18th, 2022 at 10:00am EST, but again did not call. On November 21st, 2022, the SE emailed indicating that the author did not answer their phone at an indeterminate time, which was not true. The SE then called the author outside of working hours on November 28th, 2022, and the author replied with times that the SE could reach them. Finally, on December 9th, 2022, the SE called and the author was able to walk them through the details of the case, showing the behaviour of the changes not being properly audited. The SE then indicated that the case needed to be escalated, and on December 14th, 2022, the SE called to let the author know the case was still being investigated.

To prevent malicious transforms, Global Administrators, as well as Application Administrator or Cloud Application Administrator roles should be privilege separated from daily driver accounts, not mail-enabled, cloud-sourced and not synchronized from Active Directory, use Azure AD PIM with MFA requirement for elevation, have roles scoped with a Conditional Access policy requiring MFA for Azure management, use passwordless and be scoped for Azure AD Identity Protection, and require a Privileged Access Workstation (PAW) for highly privileged operations. The article concludes with a description of the featured image, which is the

📓 SpAML: Spoofing Users in Azure AD With SAML Claims Transformations

👉🏽 For those that believe SAML is dead, they should take a look at the Azure AD Application Gallery. While the authentication standard finished baking almost two decades ago, it’s still a staple for integration of applications with Azure AD. Microsoft Security Response Center (MSRC) reacting to vulnerability disclosure.

👉🏽 Discusses responsible disclosure of proof case on NameID spoofing in Azure AD. 👉🏽 SAML is a popular authentication standard for integrating apps with Azure AD. 👉🏽 Spoofing a user within SAML response allows an attacker to impersonate a privileged user. 👉🏽 NameID default format is Email Address. 👉🏽 Article provides an example of how malicious transforms can be used to spoof users. 👉🏽 Normal channels do not expose data needed for detecting transforms. 👉🏽 SE responses inaccurate despite providing additional clarity. 👉🏽 Preventing malicious transforms requires privilege separation and strong authentication measures. 👉🏽 Azure AD PIM and MFA required for privileged elevation. 👉🏽 Featured image shows MSRC reacting to vulnerability disclosure.

source link: https://ericonidentity.com/2022/12/19/spaml-spoofing-users-in-azure-ad-with-saml-claims-transformations/

#responsibledisclosure #NameIDspoofing #SAML #AzureAD #privilegedaccess

summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/spaml-spoofing-users-in-azure-ad-with-saml-claims-transformations

#responsibledisclosure #NameIDspoofing #SAML #AzureAD #privilegedaccess