When detecting Silver SAML you should check for "KeyDescription" events

[denniskniep]

When detecting Silver SAML it might be not enough to monitor for changes to PreferredTokenSigningKeyThumbprint
Because this event "only" signals the activation of an already uploaded certificate.

But the event that describes a change of the certificates is KeyDescription. In this event the old certs and new certs are listed.
If a new cert is added here and not activated yet, it will be already available in EntraID´s /federationmetadata/2007-06/federationmetadata.xml Endpoint. This means that the application could already accept SAML tokens which are signed by that new certificate (which is not yet active).

Therefore in my opinion the Detecting Silver SAML section in the Readme should be changed accordingly.

Any thoughts regarding this?

[ericonidentity]

Hi @denniskniep - You bring up an excellent point, and it's something that has stirred up some good thoughts in my mind, recalling the SAML apps that may accept tokens signed by multiple certs that subscribe to Entra ID's metadata endpoint. We appreciate the feedback and I agree that it's something we should look at for detecting Silver SAML. It's quite difficult enough due to the limitations in audit logging in Entra ID to really get a lot of details as to the certificates that were uploaded. We're looking into a few different things from a detection standpoint but will keep you updated with what we find, and will update the readme accordingly.