Forging the Keys: Inside SAMLSmith, the C# Framework for Golden & Silver SAML Attacks

by Nam Phong · December 24, 2025

SAMLSmith is a C# tool for generating custom SAML responses and implementing Silver SAML and Golden SAML attacks. It provides comprehensive functionality for security researchers and penetration testers working with SAML-based authentication systems.

Use

SAMLSmith provides four primary commands for different operational scenarios:

Command	Purpose	Input Method
`generate`	SAML response generation	Command line parameters
`generateJSON`	SAML response generation	JSON configuration file
`generateWSJSON`	WS-Federation response generation	JSON configuration file
`generatePFX`	Certificate extraction	AD FS encrypted materials

Commands

generate

Generate SAML responses using command line parameters:

Parameters:

--pfxPath – Path to the PFX certificate file
--pfxPassword – Password for the PFX file (optional)
--idpid – Identity Provider Identifier
--recipient – SAML response recipient URL
--subjectnameid – Subject NameID in the SAML response
--audience – Audience for the SAML response
--attributes – Claims/attributes in key=value,key=value format
--inResponseTo – InResponseTo parameter (optional)

generateJSON

Generate SAML responses using JSON configuration files:

JSON Configuration Structure:

[pastacode lang=”markup” manual=”%7B%0A%20%20%20%20%22pfxPath%22%3A%20%22C%3A%5C%5Ccerts%5C%5Csigning.pfx%22%2C%0A%20%20%20%20%22pfxPassword%22%3A%20%22password123%22%2C%0A%20%20%20%20%22idpid%22%3A%20%22https%3A%2F%2Fsts.company.com%2Fadfs%2Fservices%2Ftrust%22%2C%0A%20%20%20%20%22recipient%22%3A%20%22https%3A%2F%2Fapp.company.com%2Fsso%2Fsaml%22%2C%0A%20%20%20%20%22subjectnameid%22%3A%20%22user%40company.com%22%2C%0A%20%20%20%20%22audience%22%3A%20%22https%3A%2F%2Fapp.company.com%22%2C%0A%20%20%20%20%22inResponseTo%22%3A%20%22optional_response_id%22%2C%0A%20%20%20%20%22attributes%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%22http%3A%2F%2Fschemas.microsoft.com%2Fidentity%2Fclaims%2Ftenantid%22%3A%20%22tenant-guid%22%2C%0A%20%20%20%20%20%20%20%20%22http%3A%2F%2Fschemas.microsoft.com%2Fidentity%2Fclaims%2Fobjectidentifier%22%3A%20%22user-guid%22%2C%0A%20%20%20%20%20%20%20%20%22http%3A%2F%2Fschemas.microsoft.com%2Fidentity%2Fclaims%2Fdisplayname%22%3A%20%22John%20Doe%22%2C%0A%20%20%20%20%20%20%20%20%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Femailaddress%22%3A%20%22user%40company.com%22%2C%0A%20%20%20%20%20%20%20%20%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2Fclaims%2Fname%22%3A%20%22John%20Doe%22%0A%20%20%20%20%7D%0A%7D” message=”” highlight=”” provider=”manual”/]

generateWSJSON

Generate WS-Federation responses using JSON configuration files. Note that the attributes format differs from the SAML JSON format:

JSON Configuration Structure:

Important: For WS-Federation, the attributes field uses a comma-separated string format rather than a JSON object structure.

generatePFX

Extract usable certificate files from AD FS encrypted materials. Given the EncryptedPFX blob from the AD FS configuration database and DKM decryption key from Active Directory, produce a usable PFX certificate file for token signing:

Parameters:

--encryptedPFXPath – Path to the EncryptedPFX blob from AD FS configuration database
--dkmKeyPath – Path to the DKM decryption key from Active Directory
--pfxOutputPath – Output path for the decrypted PFX certificate file

For detailed information about Silver SAML, see: Meet Silver SAML, Golden SAML In the Cloud

Download

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal