Introduction to Single Sign-On Authentication

When single sign-on (SSO) authentication is used, a user who already has a login session with the client application does not need to provide their login credentials again when calling a TIBCO ActiveMatrix BPM service (provided their credentials are also valid for logging into TIBCO ActiveMatrix BPM).

SSO authentication requires that TIBCO ActiveMatrix BPM can:

  • verify that the incoming message is from a trusted source, and
  • validate the subject of the message as a registered TIBCO ActiveMatrix BPM user.

TIBCO ActiveMatrix BPM supports the use of the following to facilitate SSO authentication:

Type Supported by
X.509 certificates
  • ActiveMatrix BPM public SOAP API
SAML tokens
  • ActiveMatrix BPM public SOAP API
  • ActiveMatrix BPM public Java Service Connector
SAML Web Profile
  • ActiveMatrix BPM public REST API
  • Process-As-A-Service REST API
  • Bundled web applications2 that use the bpm-login business component
  • Custom Client Applications1
  • TIBCO Openspace and Workspace clients
SiteMinder
  • ActiveMatrix BPM public REST API
  • TIBCO Openspace and Workspace clients
Kerberos
  • ActiveMatrix BPM public REST API
  • Custom Client Applications1
  • TIBCO Openspace and Workspace clients
OpenID Connect JWT tokens
  • ActiveMatrix BPM public REST API
  • Process-As-A-Service REST API
  • Bundled web applications2 that use the bpm-login business component
  • Custom Client Applications1
  • TIBCO Openspace and Workspace clients

1 In this context, these are ActiveMatrix BPM applications that are developed using, or supplied as part of, the Client Application Framework - such as Workapp. For more information, see Client Application Development.

2 These are applications (for example, openworkitem and startbizaction) that are bundled with Application Development. They demonstrate how to use the business components that are provided with Application Development. (For more information, see Bundled Applications.) Bundled applications can use OpenID Connect or SAML Web Profile authentication if you have embedded the bpm-login business component in the bundled application. The bpm-login business component provides OpenID Connect and SAML Web Profile authentication capability out-of-the box. If you are using this component, you do not need to add the interceptor script (bpm-sso-interceptor.min.js) in your application's launch script (as described in Using OpenID Connect with Custom Applications and Using SAML Web Profile Authentication with Custom Applications).

See also:

     Using X.509 Certificates or SAML Tokens for SSO Authentication

     Using SiteMinder with ActiveMatrix BPM

     Using Kerberos with ActiveMatrix BPM

     Using OpenID Connect with ActiveMatrix BPM

     Using SAML Web Profiles with ActiveMatrix BPM