Security Guidance
5 minutes

Stopping Identity Provider Session Hijacking

SaaS is in session

Businesses today are able to operate and collaborate more effectively than ever, largely thanks to the powerful SaaS applications that teams rely on and entrust with their important data. To streamline the user experience and not require a login each visit, SaaS applications generate session tokens that are stored in the browser and used to authenticate the user. Once someone has a token, they can potentially revisit the application over multiple days without needing to reauthenticate. 

In addition, most companies use identity providers (IDPs) to manage digital identities and further facilitate frictionless access to SaaS applications. Features like single sign-on (SSO) and multi-factor authentication (MFA) can both improve the user experience and provide an extra layer of security. Authenticating with a valid token to the IDP allows a user to access a multitude of connected services, each of which will generate another unique token specific to the application.

While the simple, lasting authentication provided by these session tokens is unquestionably convenient, it unfortunately has introduced new exploitation opportunities for bad actors. The prevalence and effectiveness of MFA has caused adversaries to increasingly forego targeting credentials in favor of session tokens. Not only can a captured session token potentially grant access to a SaaS application or a wealth of services connected to an IDP—it also offers persistence in the environment for as many as 30 days (depending on the duration of the token). These attacks are discrete, often going undetected because the attacker is reusing legitimate tokens. As the threat of session hijacking continues to grow, it’s imperative that security leaders understand the techniques and consequences of token theft in a SaaS world in order to mitigate it.

Who stole the cookie?

Session tokens are long, randomly generated strings that are nearly impossible to guess, protected with SSL over the network, and encrypted when stored on endpoints. Identity providers will generate one of these tokens to authenticate the user connection to the IDP, which then enables the user to create new subsequent sessions with SSO-connected applications. Each connected application may have variable session lengths associated with their unique tokens, providing persistence that maintains even after the IDP session expires. To bypass security measures and capture valid tokens, these attackers will employ a variety of techniques such as malware and phishing via a man-in-the-middle attack.


There are a variety of avenues that attackers can exploit to trick users into unknowingly installing malware on their devices. If a user logs into a SaaS application from an endpoint with cookie stealing malware installed, the malware can grab the cookie, de-encrypt it, and send the cookie to the attacker for re-use.  This attack would bypass MFA, because the cookie would only be granted to the user and stored on the endpoint after successfully passing the MFA challenge. The attacker is able to use this token to simultaneously access the session, authenticating to the IDP and likely creating a number of new sessions for any connected SaaS applications.

Man-in-the-Middle Attack

In a man-in-the-middle attack, adversaries can phish a user into logging into a SaaS application via infrastructure that they control (often making fake authentication pages that look and feel just like the authentication pages users are familiar with logging into). The attacker relays traffic between the end user and the identity provider and captures the session token granted to the user after they provide MFA. Afterwards, the attacker is able to reuse the same session token as the user to access the SaaS application. The threat of these phishing attacks continues to grow; a recent blog from The Record shared that a team of academics discovered more than 1,200 known phishing toolkits that can intercept and capture MFA security codes.

Mitigate Token Theft with Obsidian

To accurately identify token theft and other compromises within your SaaS environment, Obsidian begins with a consolidated understanding of your users, activities, permissions, and configurations from across your core applications. This data is normalized, enriched with context and threat intel, and ultimately populated into a central knowledge graph of your SaaS environment. This serves as the foundation for our models to detect malicious activity in its earliest stages, giving your team the chance to mitigate threats before sensitive data is being exfiltrated.

Because Obsidian carefully examines and analyzes details about the users and client connections to the identity provider and SaaS applications, we detect the potentially subtle anomalies consistent with token capture and reuse by an attacker. When this is identified, our platform immediately flags the event for your security team, providing a single timeline of events related to the attack and a clear path for prompt remediation.

For more information, read our solution brief Zero Trust in a SaaS World to learn why the ability to stop session hijacking is so important when extending the principles of zero trust to your SaaS applications.