SSO Authentication Using a SAML Token

TIBCO ActiveMatrix BPM supports authentication by a signed SAML 2.0 token using the "sender-vouches" subject confirmation method, whereby an intermediary (for example Microsoft Active Directory) vouches for the user making the request.

The intermediary:

  • authenticates the user and generates a SAML assertion holding the user's identity (either a BPM username or a DN).
  • signs the assertion using its private key.

TIBCO ActiveMatrix BPM must hold the corresponding public certificate of the private certificate used to sign the SAML assertion.

When the client application invokes a BPM service, it must include the SAML assertion of the user (on whose behalf the call is being made) in the SOAP header.

Note: See Implementing SSO Authentication Using a SAML Token for more information.

TIBCO ActiveMatrix BPM:

  • verifies the signature of the incoming message against the public certificate. This confirms that the message originates from a trusted source.
  • validates that the identity supplied in the SAML assertion is associated with a registered user in the BPM organization model. This confirms that the subject of the message is a registered BPM user.
    Note: No LDAP lookup or password checking is performed. The user’s credentials are assumed to have been validated already because the message has been received from a trusted source.