| ID | Name |
|---|---|
| ATAGS-T1116.001 | SAML Tokens |
| ATAGS-T1116.002 | Web Cookies |
Threat Actors may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate. The default lifetime of a SAML token is one hour, but the validity period can be specified in the NotOnOrAfter value of the conditions ... element in a token. This value can be changed using the AccessTokenLifetime in a LifetimeTokenPolicy. Forged SAML tokens enable Threat Actors to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.