Attacks against SSO are not new, for example the Golden SAML attack (Cyberark, 11/2017), which used stolen certificates to spoof SAML responses and was utilized in the recent SolarWinds hack. Recently, new POC identity attacks have been published such as gaining access to a Facebook account that uses Gmail as the SSO identity provider via OAuth 2.0 (Sammouda, 5/2022), utilizing the chaining of traditional web vulnerabilities such as XSS with the design of the OAuth protocol in order to steal OAuth session tokens. AWS's SSO implementation mixes SAML, OAuth, and traditional AWS access keys, opening up more areas for abuse by attackers. These new attacks pose new challenges for security operations: remotely-enabled attacks by design without need for endpoint compromise, near-permanent access, no need to go through MFA challenges, and incomplete controls for security operations in preventing, detecting, and responding to these attacks.

In this session we will cover how these attacks work, what's different about them, how the underlying SSO protocols and features are used and abused. Hands-on demos to illustrate the new attacks with security architecture slides to clarify fundamental concepts, data flows, and efficacy of defensive measures.