Yes, it requires getting admin to the AD FS server https://www.netwrix.com/golden_saml_attack.html which is kind of glossed over but surely is the real "hack"?