I am AD FS and so can you: Attacking Active Directory Federated Services

With the rise in popularity of enterprise cloud applications - email, data processing, and data warehousing for example - organizations find themselves contending with the need to securely share identity information with their cloud service providers. This talk explores one common model for this, Active Directory Federated Services, and how it can be exploited by attackers to access cloud applications as any user, without knowing their password and without MFA.