Cloud platforms and SaaS applications have become the trend for enterprise deployments. Organizations typically adopt SSO solutions for centralized identity management and simplified user login processes. For enterprises with an Active Directory (AD) domain, a common approach is to synchronize or delegate authentication, passing on-premises identity to an Identity Provider (IdP) such as Entra ID or Okta, which then integrates with other cloud services (e.g., AWS, GCP) or SaaS applications.

The underlying protocols such as SAML and OIDC are also used for Workload Identity cross-platform resource access. However, the security of these protocols relies on the trust relationship between the IdP (including AD) and cloud service providers (CSPs). Once an IdP component is compromised, services would be exploited, posing an overall threat to the entire organization.

This talk provides an in-depth analysis of threats targeting on-premises IdP components, including Golden SAML and Agent Spoofing attacks, as well as potential weaknesses in Workload Identity within multi-cloud and hybrid environments. It also examines the impact of IdP misconfigurations (e.g., Silver SAML) and proposes Best Practices to strengthen security boundaries and mitigate cross-platform identity threats.