Create a Resource Template of Type 'OpenIDAuthentication'

You can create the resource template for OpenID from either TIBCO ActiveMatrix Administrator UI, or from the Command Line Interface (CLI).

TIBCO ActiveMatrix Administrator UI

  1. Log in to TIBCO ActiveMatrix Administrator.
  2. Select Shared Objects > Resource Templates.
  3. Click New.
  4. On the Add Resource Template dialog, select 'OpenID Authentication' in the Type field.

    The Name field defaults to the same value selected in the Type field, but can be change, if desired.

  5. Complete the remainder of the Add Resource Template dialog, using the descriptions below.
    Note: The descriptions below provide examples of configuration parameter values that can be used with Google and Microsoft ADFS. If you are using a different IdP, it is up to you to determine the correct values to use for each parameter.
    Field/Button Description
    Description (optional) A description for the OpenID shared resource.
    Access token URI The REST OpenID token service URI, which is used to obtain an ID Token for the authenticated user.
    Note: Using the OpenID Access Token is not currently supported in ActiveMatrix Service Grid. The OpenID ID Token is used to identify the user.

    This is unique to the IdP and can be obtained from the IdP's website on which they describe how to register an application with the IdP.

    Examples are:

    Google:

    https://www.googleapis.com/oauth2/v3/token

    Microsoft ADFS:

    https://host:port/adfs/oauth2/token

    where host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, and port is the port used by the application.

    Client ID The ID that identifies the client at the Identify Provider (IdP). This, and the Client Secret (see below), are obtained from the IdP when the client registers an application with the IdP for the purpose of providing authentication for users. For information, see Registering an Application at an Identity Provider.
    Client Secret The password for the Client ID account. See the description above.
    Redirect URI The URI to which the IdP will redirect the user after authenticating the user and generating an ID Token.
    http://host:port/appPath

    where host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, port is the port used by the application, and appPath is the path to your Web application.

    Also note that this URI must match exactly the Redirect URI that was specified when registering the application with the IdP.

    For more information, see Registering an Application at an Identity Provider.

    Authorization URI The REST Open ID user claims/information service URI, which is used to obtain user profile information.

    This URI can be obtained from the IdP's website on which they describe how to register an application with the IdP.

    Examples are:

    Google:

    https://accounts.google.com/o/oauth2/auth

    Microsoft ADFS:

    https://host:port/adfs/oauth2/authorize

    where host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, and port is the port used by the application.

    Auth Scope (optional) Defines the claims to be returned by the IdP when the IdP authenticates the user and issues an ID Token. These claims are user attributes and are intended to provide the application with user details.

    The openid scope is included by default (even though it does not appear in the Auth Scope field by default). (The openid scope causes the sub claim to be returned, which uniquely identifies the user.) However, if any scope is entered in the Auth Scope field, it overrides the default value of openid. Therefore, if your IdP requires the openid scope, plus another scope, you must also specify openid. Specify the scopes required by your IdP.

    Examples are:

    Google and Microsoft ADFS:

    • openid,email

    Multiple scopes can be either comma- or space-separated in the Auth Scope field.

    User Key (optional) From the list of claims that are returned from the IdP (based on the scope), this specifies the field that is used as a User ID. For example:
    Google and Microsoft ADFS:
    • email
    JSON Web Key Set URI The URI to the JSON Web Key Set (JWKS), which is a JSON data structure that represents a set of public keys used to verify the signature of the JSON Web Token (JWT) ID Token issued by the IdP.

    This is unique to the IdP and can be obtained from the IdP's website on which they describe how to register an application with the IdP.

    Examples are:

    Google:

    https://www.googleapis.com/oauth2/v3/certs

    Microsoft ADFS:

    https://host:port/adfs/discovery/keys

    where host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, and port is the port used by the application.

    Logout Path When a user logs out of a TIBCO ActiveMatrix Web application, the browser sends this value to the TIBCO ActiveMatrix server. This property must be set to:

    /logout

    This value indicates to the server that it needs to send a request to the IdP to log the user out, using the value specified in the SignOutURL property (see below).

    Signout URL Upon receiving "/logout" in the LogOutPath property, the server uses this URL to send the IdP a request to log the user out of the IdP.

    The Signout URL is specific to the IdP.

    Examples are:

    Google:

    https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=http://host:port/appPath/logout

    where host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, port is the port used by the application, and appPath is the path to the application's landing page.

    Microsoft ADFS:

    https://host:port/adfs/ls/?wa=wsignout1.0&wreply=http://host:port/appPath

    where host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, port is the port used by the application, and appPath is the path to the application's landing page.

    Unauthorized Redirect Requests (optional) Specifies whether it is the responsibility of the application to handle unauthorized redirect requests. Select this option if the application will handle unauthorized requests and will forward them to the appropriate location. ActiveMatrix BPM handles unauthorized requests, therefore, for ActiveMatrix BPM applications, this option must be selected.
    Enable PKCE (Optional)

    Proof Key for Code Exchange (PKCE) (defined in OAuth 2.0 RFC 7636 ) adds an extra layer of security to the Authorization Code flow to prevent several interception attacks. PKCE technique involves the use of two keys called Code Verifier and Code Challenge. Select the Enable PKCE check box to enable the Proof Key for Code Exchange (PKCE) authorization.

  6. Click Save.

Command Line Interface (CLI)

The following shows the required fields to create an OpenID resource template using the CLI.

Use the table above for descriptions of each of the fields.

<!-- Optional Fields scope, userKey, description, unauthorizeRedirectRequests -->
<ResourceTemplate
xsi:type="amxdata:OpenIDResourceTemplate"
name = "OpenIDRT"
clientID="replyingparty-clientID"
clientSecret="replyingparty-clientSecret"
accessTokenURI="idp-accessTokenURI"
redirectURI="replyingparty-redirectURI"
authorizationURI="idp-authorizationURI"
scope="openid,email"
userKey="email"
jwksUrl="idp-jwksUrl"
unauthorizeRedirectRequests="false"
enablePKCE="false"
description="This is OpenID resource template">
logOutPath="Log out path"
signOutURL="Signout URL"
</ResourceTemplate>