Microsoft was reported by ProPublica to have ignored warnings by former employee Andrew Harris regarding the presence of the Golden SAML vulnerability in its Active Directory Federation Services offering years before it had been leveraged to facilitate the widespread SolarWinds software supply chain hack in 2020, according to CRN.
With the infection of SolarWinds Orion software resulting in the compromise of numerous organizations around the world, including the National Nuclear Security Administration and the National Institutes of Health, more urgent Microsoft action may have helped avert Golden SAML flaw exploitation, noted the ProPublica report, the findings of which were not challenged by Microsoft.
However, Microsoft emphasized the absence of "inherent vulnerabilities" in the SAML standard and that its implementation does not pose a security issue to identity services.
"Our security response team takes all security issues seriously and gives every case due diligence with a thorough manual assessment, as well as cross-confirming with engineering and security partners. Our assessment of this issue received multiple reviews and was aligned with the industry consensus," said Microsoft.