Authentication

All access to TIBCO ActiveMatrix BPM requires the use of an authenticated user, whether that access is through run-time user interfaces, web service APIs, deployment or other supported access mechanisms.

Users must be registered with TIBCO ActiveMatrix BPM via the Organization Browser - see Organization Model and Resource Management.

TIBCO ActiveMatrix BPM supports the following methods of authenticating users:

  • Direct authentication - Direct authentication requires the calling application to provide valid TIBCO ActiveMatrix BPM login credentials when calling a TIBCO ActiveMatrix BPM service. This is the default authentication method used by TIBCO ActiveMatrix BPM.

    The type of direct authentication to use depends on the type of interface you are using:

    • Web Service API or Java Service Connector

      An API call to the web service API (SOAP) or Java Service Connector must include a UsernameToken in the SOAP header, which specifies the username and password of the user on whose behalf the call is being made. This uses Web Services Security UsernameToken Profile 1.0.

      A TIBCO ActiveMatrix BPM LDAP authentication provider resource instance (for example, amx.bpm.auth.easyAs) is also required, which validates:
      • the supplied username against the BPM organization model.
      • the supplied password against the LDAP entity represented by that BPM user.
      Note: Use of HTTPS is not mandatory when using direct authentication with a UsernameToken. However, if HTTPS is not used, every service invocation will include an unencrypted user name and password within the SOAP header. It is therefore essential for a secure system to use HTTPS.

      The sample client applications provided with ActiveMatrix BPM implement direct authentication using a UsernameToken.

    • REST API

      A call to the REST API must supply a valid username and password in an HTTP Basic Authentication header.

    For additional information, see Direct Authentication.

  • Single sign-on (SSO) authentication - With SSO authentication, a user who already has a login session with the client application does not need to provide login credentials again when calling a TIBCO ActiveMatrix BPM service (provided that their credentials are also valid for logging in to TIBCO ActiveMatrix BPM).

    Different types of SSO authentication can be used, depending on the API or client you are using:

    • X.509 certificates
    • SAML tokens
    • SAML Web Profile
    • OpenID Connect
    • SiteMinder
    • Kereros

    For additional information, as well as the APIs and clients that support each of these SSO types, see Introduction to Single Sign-On Authentication.

Note: Openspace and Workspace (as well as custom WCC applications) can be configured to allow dual authentication, meaning that the application concurrently supports both direct authentication and SSO authentication. When configured for dual authentication, users can log in using direct authentication, even if ActiveMatrix BPM is configured to use SSO authentication.

For additional information about dual authentication, see Dual Authentication.