IBM Support What's New?

TFIM SAML framework protected against XML Signature wrapping attacks

News


Abstract

TFIM SAML framework is protected against the XML Signature wrapping attacks described in the paper "Breaking SAML: Be Whoever You Want to Be".

Content

The paper Breaking SAML: Be Whoever You Want to Be describes XML Signature wrapping (XSW) attacks and the results of applying these attacks on real world SAML providers/frameworks. The following versions of Tivoli Federated Identity Manager (Enterprise and Business Gateway) are protected against the XSW attacks described in the paper:



For versions of TFIM that are no longer supported, IBM recommends that customers upgrade to a supported, fixed version of the product.

Related information

TFIM: Multiple Protocol XML signature validation bypass


Cross reference information
Segment Product Component Platform Version Edition
Security Tivoli Federated Identity Manager Business Gateway Not Applicable AIX, HP-UX, Linux, Solaris, Windows 6.2, 6.2.1, 6.2.2
Security Tivoli Federated Identity Manager for z/OS Not Applicable z/OS Version Independent

Product Alias/Synonym

TFIM
FIM
ISAM

Document information

More support for: Tivoli Federated Identity Manager

Software version: 6.2, 6.2.1, 6.2.2

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows, z/OS

Reference #: 1615696

Modified date: 2014-10-15