Create a Resource Template of Type 'OpenIDAuthentication'
You can create the resource template for OpenID from either TIBCO ActiveMatrix Administrator UI, or from the Command Line Interface (CLI).
TIBCO ActiveMatrix Administrator UI
- Log in to TIBCO ActiveMatrix Administrator.
- Select .
- Click New.
- On the Add Resource Template dialog, select 'OpenID Authentication' in the
Type field.
The Name field defaults to the same value selected in the Type field, but can be change, if desired.
- Complete the remainder of the Add Resource Template dialog, using the descriptions below.
Note: The descriptions below provide examples of configuration parameter values that can be used with Google and Microsoft ADFS. If you are using a different IdP, it is up to you to determine the correct values to use for each parameter.
Field/Button Description Description (optional) A description for the OpenID shared resource. Access token URI The REST OpenID token service URI, which is used to obtain an ID Token for the authenticated user. Note: Using the OpenID Access Token is not currently supported in ActiveMatrix Service Grid. The OpenID ID Token is used to identify the user.This is unique to the IdP and can be obtained from the IdP's website on which they describe how to register an application with the IdP.
Examples are:
Google:
https://www.googleapis.com/oauth2/v3/token
Microsoft ADFS:
https://host:port/adfs/oauth2/token
where host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, and port is the port used by the application.
Client ID The ID that identifies the client at the Identify Provider (IdP). This, and the Client Secret (see below), are obtained from the IdP when the client registers an application with the IdP for the purpose of providing authentication for users. For information, see Registering an Application at an Identity Provider. Client Secret The password for the Client ID account. See the description above. Redirect URI The URI to which the IdP redirects the user after authenticating the user and generating an ID Token. http://host:port/appPath
where host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, port is the port used by the application, and appPath is the path to your Web application.
Also note that this URI must match exactly the Redirect URI that was specified when registering the application with the IdP.
For more information, see Registering an Application at an Identity Provider.
Authorization URI The REST Open ID user claims/information service URI, which is used to obtain user profile information. This URI can be obtained from the IdP's website on which they describe how to register an application with the IdP.
Examples are:
Google:
https://accounts.google.com/o/oauth2/auth
Microsoft ADFS:
https://host:port/adfs/oauth2/authorize
where host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, and port is the port used by the application.
Auth Scope (optional) Defines the claims to be returned by the IdP when the IdP authenticates the user and issues an ID Token. These claims are user attributes and are intended to provide the application with user details. The
openid
scope is included by default (even though it does not appear in the Auth Scope field by default). (Theopenid
scope causes thesub
claim to be returned, which uniquely identifies the user.) However, if any scope is entered in the Auth Scope field, it overrides the default value ofopenid
. Therefore, if your IdP requires theopenid
scope, plus another scope, you must also specifyopenid
. Specify the scopes required by your IdP.Examples are:
Google and Microsoft ADFS:
openid,email
Multiple scopes can be either comma- or space-separated in the Auth Scope field.
User Key (optional) From the list of claims that are returned from the IdP (based on the scope), this specifies the field that is used as a User ID. For example: Google and Microsoft ADFS:
email
JSON Web Key Set URI The URI to the JSON Web Key Set (JWKS), which is a JSON data structure that represents a set of public keys used to verify the signature of the JSON Web Token (JWT) ID Token issued by the IdP. This is unique to the IdP and can be obtained from the IdP's website on which they describe how to register an application with the IdP.
Examples are:
Google:
https://www.googleapis.com/oauth2/v3/certs
Microsoft ADFS:
https://host:port/adfs/discovery/keys
where host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, and port is the port used by the application.
Logout Path When a user logs out of a TIBCO ActiveMatrix Web application, the browser sends this value to the TIBCO ActiveMatrix server. This property must be set to: /logout
This value indicates to the server that it needs to send a request to the IdP to log the user out, using the value specified in the
SignOutURL
property (see below).Signout URL Upon receiving "/logout" in the LogOutPath
property, the server uses this URL to send the IdP a request to log the user out of the IdP.The Signout URL is specific to the IdP.
Examples are:
Google:
https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=http://host:port/appPath/logout
where host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, port is the port used by the application, and appPath is the path to the application's landing page.
Microsoft ADFS:
https://host:port/adfs/ls/?wa=wsignout1.0&wreply=http://host:port/appPath
where host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, port is the port used by the application, and appPath is the path to the application's landing page.
Unauthorized Redirect Requests (optional) Specifies whether it is the responsibility of the application to handle unauthorized redirect requests. Select this option if the application handles unauthorized requests and forwards them to the appropriate location. ActiveMatrix BPM handles unauthorized requests, therefore, for ActiveMatrix BPM applications, this option must be selected. Enable PKCE (Optional) Proof Key for Code Exchange (PKCE) (defined in OAuth 2.0 RFC 7636 ) adds an extra layer of security to the Authorization Code flow to prevent several interception attacks. PKCE technique involves the use of two keys called Code Verifier and Code Challenge. Select the Enable PKCE checkbox to enable the Proof Key for Code Exchange (PKCE) authorization.
- Click Save.
Command Line Interface (CLI)
The following shows the required fields to create an OpenID resource template using the CLI.
Use the table above for descriptions of each of the fields.
<!-- Optional Fields scope, userKey, description, unauthorizeRedirectRequests -->
<ResourceTemplate
xsi:type="amxdata:OpenIDResourceTemplate"
name = "OpenIDRT"
clientID="replyingparty-clientID"
clientSecret="replyingparty-clientSecret"
accessTokenURI="idp-accessTokenURI"
redirectURI="replyingparty-redirectURI"
authorizationURI="idp-authorizationURI"
scope="openid,email"
userKey="email"
jwksUrl="idp-jwksUrl"
unauthorizeRedirectRequests="false"
enablePKCE="false"
description="This is OpenID resource template">
logOutPath="Log out path"
signOutURL="Signout URL"
</ResourceTemplate>