Create a Resource Template of Type 'OpenIDAuthentication'

1. Log in to TIBCO ActiveMatrix Administrator.
2. Select Shared Objects > Resource Templates.
3. Click New.
4. On the Add Resource Template dialog, select 'OpenID Authentication' in the Type field.

   The Name field defaults to the same value selected in the Type field, but can be change, if desired.

5. Complete the remainder of the Add Resource Template dialog, using the descriptions below.
   Note: The descriptions below provide examples of configuration parameter values that can be used with Google and Microsoft ADFS. If you are using a different IdP, it is up to you to determine the correct values to use for each parameter.

   Field/Button	Description
   Description (optional)	A description for the OpenID shared resource.
   Access token URI	The REST OpenID token service URI, which is used to obtain an ID Token for the authenticated user. Note: Using the OpenID Access Token is not currently supported in ActiveMatrix Service Grid. The OpenID ID Token is used to identify the user. This is unique to the IdP and can be obtained from the IdP's website on which they describe how to register an application with the IdP. Examples are: Google: https://www.googleapis.com/oauth2/v3/token Microsoft ADFS: https://host:port/adfs/oauth2/token where host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, and port is the port used by the application.
   Client ID	The ID that identifies the client at the Identify Provider (IdP). This, and the Client Secret (see below), are obtained from the IdP when the client registers an application with the IdP for the purpose of providing authentication for users. For information, see Registering an Application at an Identity Provider.
   Client Secret	The password for the Client ID account. See the description above.
   Redirect URI	The URI to which the IdP will redirect the user after authenticating the user and generating an ID Token. http://host:port/appPath where host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, port is the port used by the application, and appPath is the path to your Web application. Also note that this URI must match exactly the Redirect URI that was specified when registering the application with the IdP. For more information, see Registering an Application at an Identity Provider.
   Authorization URI	The REST Open ID user claims/information service URI, which is used to obtain user profile information. This URI can be obtained from the IdP's website on which they describe how to register an application with the IdP. Examples are: Google: https://accounts.google.com/o/oauth2/auth Microsoft ADFS: https://host:port/adfs/oauth2/authorize where host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, and port is the port used by the application.
   Auth Scope (optional)	Defines the claims to be returned by the IdP when the IdP authenticates the user and issues an ID Token. These claims are user attributes and are intended to provide the application with user details. The openid scope is included by default (even though it does not appear in the Auth Scope field by default). (The openid scope causes the sub claim to be returned, which uniquely identifies the user.) However, if any scope is entered in the Auth Scope field, it overrides the default value of openid. Therefore, if your IdP requires the openid scope, plus another scope, you must also specify openid. Specify the scopes required by your IdP. Examples are: Google and Microsoft ADFS: openid,email Multiple scopes can be either comma- or space-separated in the Auth Scope field.
   User Key (optional)	From the list of claims that are returned from the IdP (based on the scope), this specifies the field that is used as a User ID. For example: Google and Microsoft ADFS: email
   JSON Web Key Set URI	The URI to the JSON Web Key Set (JWKS), which is a JSON data structure that represents a set of public keys used to verify the signature of the JSON Web Token (JWT) ID Token issued by the IdP. This is unique to the IdP and can be obtained from the IdP's website on which they describe how to register an application with the IdP. Examples are: Google: https://www.googleapis.com/oauth2/v3/certs Microsoft ADFS: https://host:port/adfs/discovery/keys where host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, and port is the port used by the application.
   Logout Path	When a user logs out of a TIBCO ActiveMatrix Web application, the browser sends this value to the TIBCO ActiveMatrix server. This property must be set to: /logout This value indicates to the server that it needs to send a request to the IdP to log the user out, using the value specified in the SignOutURL property (see below).
   Signout URL	Upon receiving "/logout" in the LogOutPath property, the server uses this URL to send the IdP a request to log the user out of the IdP. The Signout URL is specific to the IdP. Examples are: Google: https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=http://host:port/appPath/logout where host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, port is the port used by the application, and appPath is the path to the application's landing page. Microsoft ADFS: https://host:port/adfs/ls/?wa=wsignout1.0&wreply=http://host:port/appPath where host is the DNS name or IP address of the server that hosts TIBCO ActiveMatrix, port is the port used by the application, and appPath is the path to the application's landing page.
   Unauthorized Redirect Requests (optional)	Specifies whether it is the responsibility of the application to handle unauthorized redirect requests. Select this option if the application will handle unauthorized requests and will forward them to the appropriate location. ActiveMatrix BPM handles unauthorized requests, therefore, for ActiveMatrix BPM applications, this option must be selected.

6. Click Save.

<!-- Optional Fields scope, userKey, description, unauthorizeRedirectRequests -->
<ResourceTemplate
xsi:type="amxdata:OpenIDResourceTemplate"
name = "OpenIDRT"
clientID="replyingparty-clientID"
clientSecret="replyingparty-clientSecret"
accessTokenURI="idp-accessTokenURI"
redirectURI="replyingparty-redirectURI"
authorizationURI="idp-authorizationURI"
scope="openid,email"
userKey="email"
jwksUrl="idp-jwksUrl"
unauthorizeRedirectRequests="false"
description="This is OpenID resource template">
logOutPath="Log out path"
signOutURL="Signout URL"
</ResourceTemplate>