SSO Authentication Using an X.509 Certificate

An X.509 certificate represents a guarantee by a Certificate Authority (CA) that a public key is associated with a particular identity.

Each user must have a unique public certificate, which:

  • identifies them as the subject of the certificate, using their X.509 Distinguished Name (DN).
  • is signed with the private key of the root certificate issued by the certificate authority.

TIBCO ActiveMatrix BPM must hold the corresponding public root certificate issued by the same certificate authority. Any certificate signed by the corresponding private key of this root certificate will be trusted.

When the client application invokes a BPM service, it must include the public certificate of the user (on whose behalf the call is being made) in the SOAP header.

Note: The Java Service Connector API does not support SSO authentication using an X.509 certificate. You must use the BPM web service API if you want to use X.509.

TIBCO ActiveMatrix BPM:

  • verifies the signature of the incoming message against the public root certificate. This confirms that the message originates from a trusted source.
  • validates that the supplied DN is associated with a registered user in the BPM organization model. This confirms that the subject of the message is a registered BPM user.
    Note: No LDAP lookup or password checking is performed. The user’s credentials are assumed to have been validated already because the message has been received from a trusted source.