Authentication

All access to TIBCO ActiveMatrix BPM requires the use of an authenticated user, whether that access is through run-time user interfaces, web service APIs, deployment or other supported access mechanisms.

Users must be registered with TIBCO ActiveMatrix BPM via the Organization Browser - see Organization Model and Resource Management.

TIBCO ActiveMatrix BPM supports the following methods of authenticating users:

  • Direct authentication - Direct authentication requires the calling application to provide valid TIBCO ActiveMatrix BPM login credentials when calling a TIBCO ActiveMatrix BPM service. This is the default authentication method used by TIBCO ActiveMatrix BPM.

    The type of direct authentication to use depends on the type of interface you are using:

    • Web Service API or Java Service Connector

      An API call to the web service API (SOAP) or Java Service Connector must include a UsernameToken in the SOAP header, which specifies the username and password of the user on whose behalf the call is being made. This uses Web Services Security UsernameToken Profile 1.0.

      A TIBCO ActiveMatrix BPM LDAP authentication provider resource instance (for example, amx.bpm.auth.easyAs) is also required, which validates:
      • the supplied username against the BPM organization model.
      • the supplied password against the LDAP entity represented by that BPM user.
      Note: Use of HTTPS is not mandatory when using direct authentication with a UsernameToken. However, if HTTPS is not used, every service invocation will include an unencrypted user name and password within the SOAP header. It is therefore essential for a secure system to use HTTPS.

      The sample client applications provided with ActiveMatrix BPM implement direct authentication using a UsernameToken.

    • REST API

      A call to the REST API must supply a valid username and password in an HTTP Basic Authentication header.

    For additional information, see "Direct Authentication" in the TIBCO ActiveMatrix BPM Developer's Guide.

  • Single sign-on (SSO) authentication - With SSO authentication, a user who already has a login session with the client application does not need to provide login credentials again when calling a TIBCO ActiveMatrix BPM service (provided that their credentials are also valid for logging in to TIBCO ActiveMatrix BPM).

    Different types of SSO authentication can be used, depending on the API:

    • X.509 certificates:
      • SOAP API
    • SAML tokens:
      • SOAP API
      • Java Service Connector API
    • SiteMinder:
      • REST API
      • Openspace and Workspace clients
    • Kereros:
      • REST API
      • Openspace and Workspace clients

    For additional information, see the TIBCO ActiveMatrix BPM Single Sign-On guide.