Create a Resource Template of Type 'OpenIDAuthentication'
You can create the resource template for OpenID from either TIBCO ActiveMatrix Administrator UI, or from the Command Line Interface (CLI).
TIBCO ActiveMatrix Administrator UI
- Log in to TIBCO ActiveMatrix Administrator.
- Select .
- Click New.
- On the Add Resource Template dialog, select 'OpenID Authentication' in the
Type field.
The Name field defaults to the same value selected in the Type field, but can be change, if desired.
- Complete the remainder of the Add Resource Template dialog, using the descriptions below.
Field/Button Description Description (optional) A description for the OpenID shared resource. Access token URI The REST OpenID token service URI, which is used to obtain an ID Token for the authenticated user. This is unique to the IdP and can be obtained from the IdP's website on which they describe how to register an application with the IdP.
Examples are:
Google:
https://www.googleapis.com/oauth2/v3/token
Microsoft ADFS:
https://host:port/adfs/oauth2/token
where host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, and port is the port used by the application.
Client ID The ID that identifies the client at the Identify Provider (IdP). This, and the Client Secret (see below), are obtained from the IdP when the client registers an application with the IdP for the purpose of providing authentication for users. For information, see Registering an Application at an Identity Provider. Client Secret The password for the Client ID account. See the description above. Redirect URI The URI to which the IdP will redirect the user after authenticating the user and generating an ID Token. http://host:port/appPath
where host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, port is the port used by the application, and appPath is the path to your Web application.
Also note that this URI must match exactly the Redirect URI that was specified when registering the application with the IdP.
For more information, see Registering an Application at an Identity Provider.
Authorization URI The REST Open ID user claims/information service URI, which is used to obtain user profile information. This URI can be obtained from the IdP's website on which they describe how to register an application with the IdP.
Examples are:
Google:
https://accounts.google.com/o/oauth2/auth
Microsoft ADFS:
https://host:port/adfs/oauth2/authorize
where host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, and port is the port used by the application.
Auth Scope (optional) Defines the claims to be returned by the IdP when the IdP authenticates the user and issues an ID Token. These claims are user attributes and are intended to provide the application with user details. The openid scope is included by default (even though it does not appear in the Auth Scope field by default). (The openid scope causes the sub claim to be returned, which uniquely identifies the user.) However, if any scope is entered in the Auth Scope field, it overrides the default value of openid. Therefore, if your IdP requires the openid scope, plus another scope, you must also specify openid. Specify the scopes required by your IdP.
Examples are:
Google and Microsoft ADFS:
Multiple scopes can be either comma- or space-separated in the Auth Scope field.
User Key (optional) From the list of claims that are returned from the IdP (based on the scope), this specifies the field that is used as a User ID. For example: JSON Web Key Set URI The URI to the JSON Web Key Set (JWKS), which is a JSON data structure that represents a set of public keys used to verify the signature of the JSON Web Token (JWT) ID Token issued by the IdP. This is unique to the IdP and can be obtained from the IdP's website on which they describe how to register an application with the IdP.
Examples are:
Google:
https://www.googleapis.com/oauth2/v3/certs
Microsoft ADFS:
https://host:port/adfs/discovery/keys
where host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, and port is the port used by the application.
Logout Path When a user logs out of a TIBCO ActiveMatrix Web application, the browser sends this value to the TIBCO ActiveMatrix server. This property must be set to: /logout
This value indicates to the server that it needs to send a request to the IdP to log the user out, using the value specified in the SignOutURL property (see below).
Signout URL Upon receiving "/logout" in the LogOutPath property, the server uses this URL to send the IdP a request to log the user out of the IdP. The Signout URL is specific to the IdP.
Examples are:
Google:
https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=http://host:port/appPath/logout
where host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, port is the port used by the application, and appPath is the path to the application's landing page.
Microsoft ADFS:
https://host:port/adfs/ls/?wa=wsignout1.0&wreply=http://host:port/appPath
where host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, port is the port used by the application, and appPath is the path to the application's landing page.
Unauthorized Redirect Requests (optional) Specifies whether it is the responsibility of the application to handle unauthorized redirect requests. Select this option if the application will handle unauthorized requests and will forward them to the appropriate location. ActiveMatrix BPM handles unauthorized requests, therefore, for ActiveMatrix BPM applications, this option must be selected. Enable PKCE (Optional) Proof Key for Code Exchange (PKCE) (defined in OAuth 2.0 RFC 7636 ) adds an extra layer of security to the Authorization Code flow to prevent several interception attacks. PKCE technique involves the use of two keys called Code Verifier and Code Challenge. Select the Enable PKCE check box to enable the Proof Key for Code Exchange (PKCE) authorization.
- Click Save.
Command Line Interface (CLI)
The following shows the required fields to create an OpenID resource template using the CLI.
Use the table above for descriptions of each of the fields.
<!-- Optional Fields scope, userKey, description, unauthorizeRedirectRequests -->
<ResourceTemplate
xsi:type="amxdata:OpenIDResourceTemplate"
name = "OpenIDRT"
clientID="replyingparty-clientID"
clientSecret="replyingparty-clientSecret"
accessTokenURI="idp-accessTokenURI"
redirectURI="replyingparty-redirectURI"
authorizationURI="idp-authorizationURI"
scope="openid,email"
userKey="email"
jwksUrl="idp-jwksUrl"
unauthorizeRedirectRequests="false"
enablePKCE="false"
description="This is OpenID resource template">
logOutPath="Log out path"
signOutURL="Signout URL"
</ResourceTemplate>