At Thinkst, we build tools to make attackers’ lives harder and defenders’ lives easier. Our latest Canarytoken does exactly that—introducing the SAML IdP App Canarytoken (already available on canarytokens.org, but now available on customer Consoles too!)
Where our Fake App Canarytokens for iOS and Android detect badness at the device level, SAML IdP App Canarytokens help at the identity level. Organisations rely on Single Sign-On (SSO) to manage authentication across their cloud applications. Attackers know this and target identity providers (IdPs) as a high-value entry point into enterprise environments.
By setting up a fake SSO app in your IdP dashboard, you create a high-fidelity tripwire. If an attacker stumbles upon the app and attempts to access it, you immediately receive an alert identifying the compromised account. Early warning of identity compromise helps you react before an attacker can escalate privileges or move laterally within your environment.
Creating a SAML IdP App Canarytoken
Create a Canarytoken (either on your Console or canarytokens.org) by choosing ‘SAML IdP App’ from the Canarytokens list.
Select an app to impersonate from the dropdown. Leave a reasonable comment to remind yourself where you will deploy the Canarytoken (e.g. ‘Fake Salesforce app on Okta’). If you want the app to redirect to a specific URL, enter it in the ‘Send the user to this URL on login (Optional)’ box.
Tap the ‘Create Canarytoken’ button. Download the app icon to use on your dashboard, and use the ACS URL and Entity ID to create a SAML app in your IdP.
Assign it to users and/or make it discoverable. Your token is now set up, and will blend in seamlessly with other apps in your organisation!
Validation
Unique to the Console version of this token is the ability to enable SAML request validation by uploading the SAML metadata file generated by your IdP after creating the App. With it we can cryptographically validate incoming SAML requests and only alert on legitimate login attempts, adding an extra layer of fidelity to the signal that a user on your IdP has been compromised.
Conclusion
Attackers thrive in silence—Canarytokens break that silence when it matters. In the age of cloud platforms and SSO dashboards, the attack surface is distributed, and a robust defense requires spotting attackers where they are. This Canarytoken catches a very specific case (identity compromise), and we think it can form a valuable part of defenders’ arsenal.