Authenticating Access to an Exposed Service

At runtime, security policies are automatically enforced on the endpoint of an exposed service to ensure that access is restricted to authenticated users. Every call to the service must be made using the identity of a user who is registered in the BPM organization model. A call that does not meet this requirement will be rejected.

The following table summarizes the authentication requirements, according to the type of client that is attempting to access the service.

Service is called by... Authentication Requirements
External client application Every API call to the service must be authenticated. The following authentication methods are available:
  • Direct authentication - This method requires the calling application to provide valid TIBCO ActiveMatrix BPM login credentials when calling a TIBCO ActiveMatrix BPM service.

    For more information, see "Direct Authentication" in the TIBCO ActiveMatrix BPM Developer's Guide.

  • Single sign-on - When using this method, a user who already has a login session with the client application does not need to provide their login credentials again when calling a TIBCO ActiveMatrix BPM service.

    For more information, see the TIBCO ActiveMatrix BPM Single Sign-On guide.

Another BPM application in the BPM runtime None. The login credentials used to access the calling process are propagated automatically to the endpoint of the exposed service.
SOA application (for example, Mediation) An appropriate security policy set and intent must be added to the calling SOA application, to ensure that the correct security context can be propagated to the endpoint of the exposed service. See Calling the Service from a SOA Application.