Creating a SAML Assertion

If you want to use SAML authentication, you must also supply an appropriate SAML 2.0 assertion to identify the user to be authenticated.

The following code snippet provides a suitable example.

The NameID value identifies the subject of the assertion. Replace Clint Hill with the name of the TIBCO ActiveMatrix BPM user to be authenticated. The user can be identified using either:

  • their TIBCO ActiveMatrix BPM login name, or
  • their X.509 DN, which must match the DN of the primary LDAP source of the LDAP container from which the user was derived.
    Note: If you are using the Service Connector API, you must use the user’s X.509 DN. See Using the Service Connector SamlSenderVouchesSecurityHandler Method . 
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="0464867D-AAF5-43CD-9C9C-964AF85114BA" IssueInstant="2012-10-30T14:28:19.434Z" Version="2.0">
   <saml2:Issuer>CN=bpmserver, C=US, ST=CA, L=Palo Alto, OU=BPM, O=TIBCO Inc    </saml2:Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <ds:Reference URI="#0464867D-AAF5-43CD-9C9C-964AF85114BA">
             <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
             </ds:Transforms>
             <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
             <ds:DigestValue>SUHIxGFcFeW0dAv0OfbGIpqK6+8=</ds:DigestValue>
          </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>L3bjrdg9Qxz0ww+LFUxn1WjNsiozo6CgnLqutCwXC1vfCmqhXTsKrbgNWjlk0vPwNOdpstWmjzJcdOJOngE2cRe9i/6/bmdHnqkPnutJWAYQ1+hsoUFi6GaIk1fobpVpVL2cpRLVTsbmIiQYsf3sEvSBrxNhnbVKPpdxOceZICY=</ds:SignatureValue>
      <ds:KeyInfo>
          <ds:KeyValue>
             <ds:RSAKeyValue>
                <ds:Modulus>hBPx1DVeRniAK5GK6Y3PErDmfR4UwePV1Yqtb9yxHVRAajQBVI0ndsuag++WQGhboal039Kq86STQ9uaD/6/KiEeNpDQdRHYBGSBDnyEFY6k8gQN3PjfPwH1Y2Bs1dVohHPpJ5Zd+qmK9U5m8Dgh+pHv5gVqGachV318cm82+6k=</ds:Modulus>
                <ds:Exponent>AQAB</ds:Exponent>
             </ds:RSAKeyValue>
          </ds:KeyValue>
      </ds:KeyInfo>
      </ds:Signature>
      <saml2:Subject>
         <saml2:NameID
         Format="urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName">
         Clint Hill</saml2:NameID>
         <saml2:SubjectConfirmation Method=          "urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>
      </saml2:Subject>
      <saml2:Conditions NotBefore="2012-10-30T14:28:19.434Z"NotOnOrAfter=
      "2012-10-30T14:48:19.434Z"/>
</saml2:Assertion>