ActiveMatrix BPM: OpenID Connect Configuration

Note: This screen is only displayed if you selected Open ID as the Authentication Type on the Authentication Configuration screen.
Note: Microsoft Active Directory Federation Services (ADFS) is the only Identity Provider (IdP) that is supported by, and has been tested with, ActiveMatrix BPM.
Field / Option Description
Client ID The ID that identifies the client at the Identify Provider. This, and the Client Secret (see below), are obtained from the IdP when the client registers an application with the IdP for the purpose of providing authentication for users.

For information, see "Registering an Application at an Identity Provider" in the TIBCO ActiveMatrix Single Sign-On guide.

Client Secret The password for the Client ID account. See the description above.
Redirect URI The URI to which the IdP will redirect the user after authenticating the user and generating an ID Token. For all ActiveMatrix BPM applications, this must be the following:
http://host:port/openspace/sso/bpmssoapp.html

where host is the DNS name or IP address of the server that hosts the ActiveMatrix BPM runtime, and port is the port used by the application.

Also note that this URI must match exactly the Redirect URI that was specified when registering the application with the IdP.

For more information, see "Registering an Application at an Identity Provider" in the TIBCO ActiveMatrix Single Sign-On guide.

Authorization Info URI The REST Open ID user claims/information service URI, which is used to obtain user profile information.

This URI, which is unique to the IdP, can be obtained from the IdP's website on which they describe how to register an application with the IdP.

For Microsoft ADFS, this must be:

https://host:port/adfs/oauth2/authorize

where host is the DNS name or IP address of the server that hosts the ActiveMatrix BPM runtime, and port is the port used by the application.

Access Token URI The REST OpenID token service URI, which is used to obtain an ID Token for the authenticated user.
Note: Using the OpenID Access Token is not currently supported in ActiveMatrix BPM. The OpenID ID Token is used to identify the user.

This URI, which is unique to the IdP, can be obtained from the IdP's website on which they describe how to register an application with the IdP.

For Microsoft ADFS, this must be:

https://host:port/adfs/oauth2/token

where host is the DNS name or IP address of the server that hosts the ActiveMatrix BPM runtime, and port is the port used by the application.

JSON Web Key Set URI The URI to the JSON Web Key Set (JWKS), which is a JSON data structure that represents a set of public keys used to verify the signature of the JSON Web Token (JWT) ID Token issued by the IdP.

This URI, which is unique to the IdP, can be obtained from the IdP's website on which they describe how to register an application with the IdP.

For Microsoft ADFS, this must be:

https://host:port/adfs/discovery/keys

where host is the DNS name or IP address of the server that hosts the ActiveMatrix BPM runtime, and port is the port used by the application.

Auth Scope Optional) Defines the claims to be returned by the IdP when the IdP authenticates the user and issues an ID Token. These claims are user attributes and are intended to provide the application with user details.

The openid scope is included by default (even though it does not appear in the Auth Scope field by default). (The openid scope causes the sub claim to be returned, which uniquely identifies the user.) However, if any scope is entered in the Auth Scope field, it overrides the default value of openid. Because of that, for ActiveMatrix BPM applications, you MUST include openid, and possibly another scope, depending on your IdP.

For Microsoft ADFS, this must be:

openid,upn

Multiple scopes can be either comma- or space-separated in the Auth Scope field.

User Key (optional) From the list of claims that are returned from the IdP (based on the Auth Scope), this specifies the claim that is used to identify the user.

For Microsoft ADFS, this must be:

upn

The upn claim contains the user's email address, which is used in the final authentication step to verify that the user is a valid ActiveMatrix BPM user.

Logout Path When a user logs out of an ActiveMatrix BPM application, the browser sends this value to the ActiveMatrix BPM server. This property must be set to:

/bpm/logout

This value indicates to the server that it needs to send a request to the IdP to log the user out, using the value specified in the SignOutURL property (see below).

If you are using Openspace, Workspace, or a custom WCC application, you must also specify this same logout path in the respective configuration file for those applications. For Openspace, see "Configuring What Happens on Openspace Logout" in the TIBCO Openspace Customization Guide. For Workspace and custom WCC applications, see "Logout Path" in the TIBCO Workspace Configuration and Customization Guide.

Signout URL Upon receiving "/bpm/logout" in the LogOutPath property, the server uses this URL to send the IdP a request to log the user out of the IdP.

The signout URL is specific to the IdP.

For Microsoft ADFS, this must be:

https://host:port/adfs/ls/?wa=wsignout1.0

where host is the DNS name or IP address of the server that hosts the ActiveMatrix BPM runtime, and port is the port used by the application.

Redirecting to the application landing page

Depending on the IdP, you may be able to append an additional URL to the Signout URL to cause the IdP to redirect the user to the ActiveMatrix BPM application's landing page after logging out the user. Not all IdPs support this feature; they may just display a standard logout page stating that the user has been successfully logged out. Also, the parameter name appended to the Signout URL used to specify user redirect varies between IdPs.

For Microsoft ADFS, this must be:

https://host:port/adfs/ls/?wa=wsignout1.0&wreply=http://host:port/appPath

where host is the DNS name or IP address of the server that hosts the ActiveMatrix BPM runtime, port is the port used by the application, and appPath is the path to the application's landing page.

For additional information about using OpenID Connect for authentication, see the TIBCO ActiveMatrix BPM Single Sign-On guide.