IBM Support

TFIM SAML framework protected against XML Signature wrapping attacks



TFIM SAML framework is protected against the XML Signature wrapping attacks described in the paper "Breaking SAML: Be Whoever You Want to Be".


The paper Breaking SAML: Be Whoever You Want to Be describes XML Signature wrapping (XSW) attacks and the results of applying these attacks on real world SAML providers/frameworks. The following versions of Tivoli Federated Identity Manager (Enterprise and Business Gateway) are protected against the XSW attacks described in the paper:

For versions of TFIM that are no longer supported, IBM recommends that customers upgrade to a supported, fixed version of the product.

Related information

TFIM: Multiple Protocol XML signature validation bypass

Cross reference information
Segment Product Component Platform Version Edition
Security Tivoli Federated Identity Manager Business Gateway Not Applicable AIX, HP-UX, Linux, Solaris, Windows 6.2, 6.2.1, 6.2.2
Security Tivoli Federated Identity Manager for z/OS Not Applicable z/OS Version Independent

Product Alias/Synonym


Document information

More support for: Tivoli Federated Identity Manager

Software version: 6.2, 6.2.1, 6.2.2

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows, z/OS

Reference #: 1615696

Modified date: 15 October 2014

Translate this page: