TFIM SAML framework is protected against the XML Signature wrapping attacks described in the paper "Breaking SAML: Be Whoever You Want to Be".
The paper Breaking SAML: Be Whoever You Want to Be describes XML Signature wrapping (XSW) attacks and the results of applying these attacks on real world SAML providers/frameworks. The following versions of Tivoli Federated Identity Manager (Enterprise and Business Gateway) are protected against the XSW attacks described in the paper:
- TFIM 6.2.2 Fixpack 2
- TFIM 6.2.1 Fixpack 2 with Interim Fix 3 or TFIM 6.2.1 Fixpack 4
- TFIM 6.2.0 Fixpack 9 with Interim Fix 11
- TFIM 6.1.1 Fixpack 10 with Interim Fix 13
For versions of TFIM that are no longer supported, IBM recommends that customers upgrade to a supported, fixed version of the product.
|Security||Tivoli Federated Identity Manager Business Gateway||Not Applicable||AIX, HP-UX, Linux, Solaris, Windows, z/OS||6.1.1, 6.2, 6.2.1, 6.2.2|
|Security||Tivoli Federated Identity Manager for z/OS||Not Applicable||z/OS||Version Independent|