Using ActiveMatrix Administrator to create an OpenID Connect Shared Resource
ActiveMatrix Administrator can be used to create a shared resource for OpenID Connect.
- From ActiveMatrix Administrator, select Shared Objects > Resource Templates.
- In the Type field, select "OpenID Authentication".
- In the Scope section, select the Environment option, then choose "BPMEnvironment".
- In the Scope section, select the Application option, then choose "amx.bpm.app".
- Click New.
- Complete the Add Resource Template dialog, using the field descriptions below:
| Field / Option | Description |
|---|---|
| Name | This must be "amx.bpm.auth.openid". |
| Type | This is "OpenIDAuthenticationProvider" for this type of shared resource. |
| Description (optional) | A description for the OpenID shared resource. |
| Access token URI | The REST OpenID token service URI, which is used to obtain an
ID Token for the authenticated user.
This is unique to the IdP and can be obtained from the IdP's website on which they describe how to register an application with the IdP. For Microsoft ADFS, this must be: https://host:port/adfs/oauth2/token where host is the DNS name or IP address of the server that hosts the ActiveMatrix BPM runtime, and port is the port used by the application. |
| Client ID | The ID that identifies the client at the Identify Provider (IdP). This, and the Client Secret (see below), are obtained from the IdP when the client registers an application with the IdP for the purpose of providing authentication for users. For information, see Registering an Application at an Identity Provider. |
| Client Secret | The password for the Client ID account. See the description above. |
| Redirect URI | The URI to which the IdP will redirect the user after authenticating the user and generating an
ID Token. For
all ActiveMatrix BPM applications, this must be the following:
http://host:port/openspace/sso/bpmssoapp.html where host is the DNS name or IP address of the server that hosts the ActiveMatrix BPM runtime, and port is the port used by the application. Also note that this is the same application that was registered with the IdP. For more information, see Registering an Application at an Identity Provider. |
| Authorization URI | The REST Open ID user claims/information service URI, which is used to obtain user profile information.
This URI can be obtained from the IdP's website on which they describe how to register an application with the IdP. For Microsoft ADFS, this must be: https://host:port/adfs/oauth2/authorize where host is the DNS name or IP address of the server that hosts the ActiveMatrix BPM runtime, and port is the port used by the application. |
| Auth Scope (optional) | Defines the
claims to be returned by the IdP when the IdP authenticates the user and issues an
ID Token. These claims are user attributes and are intended to provide the application with user details.
The openid scope is included by default (even though it does not appear in the Auth Scope field by default). (The openid scope causes the sub claim to be returned, which uniquely identifies the user.) However, if any scope is entered in the Auth Scope field, it overrides the default value of openid. Because of that, for ActiveMatrix BPM applications, you MUST include openid, and possibly another scope, depending on your IdP. For Microsoft ADFS, this must be: openid,upn Multiple scopes can be either comma- or space-separated in the Auth Scope field. |
| User Key (optional) | From the list of claims that are returned from the IdP (based on the Auth Scope), this specifies the claim that is used to identify the user.
For Microsoft ADFS, this must be: upn The upn claim contains the user's email address, which is used in the final authentication step to verify that the user is a valid ActiveMatrix BPM user. |
| JSON Web Key Set URI | The URI to the JSON Web Key Set (JWKS), which is a JSON data structure that represents a set of public keys used to verify the signature of the JSON Web Token (JWT)
ID Token issued by the IdP.
This is unique to the IdP and can be obtained from the IdP's website on which they describe how to register an application with the IdP. For Microsoft ADFS, this must be: https://host:port/adfs/discovery/keys where host is the DNS name or IP address of the server that hosts the ActiveMatrix BPM runtime, and port is the port used by the application. |
| Logout Path | When a user logs out of an ActiveMatrix BPM application, the browser sends this value to the ActiveMatrix BPM server. This property must be set to:
/bpm/logout This value indicates to the server that it needs to send a request to the IdP to log the user out, using the value specified in the SignOutURL property (see below). If you are using Openspace, Workspace, or a custom WCC application, you must also specify this same logout path in the respective configuration file for those applications. For Openspace, see Configuring What Happens on Openspace Logout. For Workspace and custom WCC applications, see Logout Path. |
| Signout URL | Upon receiving
"/bpm/logout" in the
LogOutPath property, the server uses this URL to send the IdP a request to log the user out of the IdP.
The signout URL is specific to the IdP. For Microsoft ADFS, this must be: https://host:port/adfs/ls/?wa=wsignout1.0 where host is the DNS name or IP address of the server that hosts the ActiveMatrix BPM runtime, and port is the port used by the application. Redirecting to the application landing page Depending on the IdP, you may be able to append an additional URL to the Signout URL to cause the IdP to redirect the user to the ActiveMatrix BPM application's landing page after logging out the user. Not all IdPs support this feature; they may just display a standard logout page stating that the user has been successfully logged out. Also, the parameter name appended to the Signout URL used to specify user redirect varies between IdPs. Examples are: For Microsoft ADFS, this is: https://host:port/adfs/ls/?wa=wsignout1.0&wreply=http://host:port/appPath where host is the DNS name or IP address of the server that hosts the ActiveMatrix BPM runtime, port is the port used by the application, and appPath is the path to the application's landing page. |
| Unauthorized Redirect Requests (optional) | Specifies whether it is the responsibility of the application to handle unauthorized redirect requests. Select this option if the application will handle unauthorized requests and will forward them to the appropriate location. ActiveMatrix BPM handles unauthorized requests, therefore, for ActiveMatrix BPM applications, this option must be selected. |