Single Sign-On to SOA Applications Using SAML SSO Web Profile

In ActiveMatrix Service Grid and SOA applications, you can implement single sign-on (SSO) by using Security Assertion Markup Language (SAML) SSO Web Profile. SAML 2.0 is a version of the SAML standard for exchanging authentication and authorization data between security domains. SAML 2.0 enables web-based, cross-domain single sign-on (SSO), which helps reduce the administrative overhead of distributing multiple authentication tokens to the user.

SSO can be enabled only on applications that contain WebApp Implementation Type (IT) endpoints. To enable SSO, you must apply the SAML SSO Web Profile Authentication Policy to the application.

OpenID Connect Authorization Code Flow with Proof Key for Code Exchange (PKCE)

Starting from TIBCO ActiveMatrix 3.4.0 Hotfix 004, OpenID Connect Authorization Code Flow with Proof Key for Code Exchange (PKCE) is supported. Authorization code flow with PKCE is supported for both authentication using Google and Microsoft ADFS. Proof Key for Code Exchange (PKCE) (defined in OAuth 2.0 RFC 7636 ) adds an extra layer of security to the Authorization Code flow to prevent several interception attacks. PKCE technique involves the use of two keys called Code Verifier and Code Challenge. For more information about PKCE, see OAuth 2.0 documentation.

You can enable Proof Key for Code Exchange (PKCE) in one of the following ways:

Enabling PKCE Using Administrator GUI

Select the Enable PKCE checkbox in the OpenID Authentication resource template to enable the PKCE.

Enabling PKCE Using Administrator CLI

Set the enablePKCE value to true in the resourcetemplate_data.xml to enable the PKCE.

This file is located in the <TIBCO_HOME>/administrator/3.4/samples/ folder. If you are upgrading from a previous hotfix to the current hotfix you must perform the steps mentioned in the "Usage Guidelines" topic of TIBCO ActiveMatrix® Hotfix Readme Addendum.

Sample resourcetemplate_data.xml

<ResourceTemplate
xsi:type="amxdata:OpenIDResourceTemplate"
name = "OpenIDRT"
clientID="replyingparty-clientID"
clientSecret="replyingparty-clientSecret"
accessTokenURI="idp-accessTokenURI"
redirectURI="replyingparty-redirectURI"
authorizationURI="idp-authorizationURI"
scope="openid,email"
userKey="email"
jwksUrl="idp-jwksUrl"
logOutPath="Log out path "
signOutURL="Signout URL"
unauthorizeRedirectRequests="false"
enablePKCE="false"
description="This is OpenID resource template">
</ResourceTemplate>