SAMLSmith - Your friendly neighborhood SAML response forger

**ericonidentity** · August 6, 2025, 20:21

SAMLSmith intends to be a go-to tool for penetration testing, red and purple teaming, and other SAML response hijinks and tomfoolery.
An evolution of the original tooling developed for proof-of-concept of SAML response forging in Entra ID, SAMLSmith is the product of continued research on the topic of SAML While response forging is far from new, there is a confluence of things happening on the interweb:

SAML is still more widely adopted than OpenID Connect for enterprise SaaS applications
Everything is going to SaaS applications
Enterprises still apply misguided security practices to SAML
Response forging is near impossible to detect

Much of the security industries focus has been on response forging relative to AD FS, especially after the Solorigate incident in 2020. However, any identity provider is susceptible to response forging if the private key material can either be extracted, such as in AD FS, or if external signing key material can be uploaded to the identity provider.
As such, we wanted to work towards a tool that can be flexible to forge responses for any identity provider and continue to build the tool to cover more response forging scenarios.
During the demo lab, we will discuss the efforts put into v 1.0 of SAMLSmith, including:

Testing of the tool against multiple identity providers, and the results
Support for SP-initiated flows requiring InResponseTo in the SAML response
AD FS specific components

Along with this, we’ll cover the resources we are putting together in the SAMLSmith docs, to help those interested understand and learn about not just using the tool, but SAML response forging in general.
Last, we want to gather feedback and discussion from others – what would be interesting to see, where should we take the tool, what’s important to you?

The repo for SAMLSmith can be found here: Semperis/SAMLSmith