|
|
|
|
|
|
by tgsovlerkhgsel
1546 days ago
|
|
|
> Can they download a private SAML certificate? Oh, that's a good one. Definitely something that the software should not allow, because I can't see a legitimate reason for this (allowing to download the certificate is fine, but not the key). |
|
|
Solar Winds was the first known incident to escalate to so called "Golden SAML" attack. If the support staff had access to signing certificates, then that would open the door to a wide-scale exploitation of Okta's clients.
A shower of Golden SAMLs, if you like.