Using SAML Web Profile with ActiveMatrix BPM

If your ActiveMatrix BPM application is configured to use SAML Web Profile for authentication, users of your application can log in using a user name and password issued by an Identity Provider (IdP) that supports SAML Web Profile.

ActiveMatrix BPM supports the use of Google as the IdP for SAML Web Profile authentication.

The following describes the basic flow when someone attempts to log in to an ActiveMatrix BPM application, which is configured to use SAML Web Profile, using their IdP credentials (this assumes the user is not already logged in to ActiveMatrix BPM):

  1. A user starts an ActiveMatrix BPM application that is using SAML Web Profile authentication.
  2. The application tries to access the ActiveMatrix BPM server, but the ActiveMatrix Platform intercepts the login request and returns a message to the application, stating that the user is not authenticated, and that authentication is being provided by SAML Web Profile (which is identified by the value of the authDefaultMethod substitution variable -- see Specifying the authDefaultMethod Substitution Variable for SAML Web Profile). The ActiveMatrix Platform also includes the URL to the IdP, as well as other information about the SAML Web Profile configuration specified in the SAML Web Profile shared resource.
  3. The application redirects the login request to the IdP, using the information returned by the ActiveMatrix Platform.
  4. The IdP displays a login screen (Google's login screen), requesting the user's IdP-issued credentials.
  5. The user enters their IdP-issued credentials.
  6. After validating the user, the IdP redirects the user to the URL specified in the Authentication Successful URL field in the SAML Web Profile shared resource. For more information, see Configuring SAML Web Profile Authentication in ActiveMatrix BPM.

    For every ActiveMatrix BPM application, the Authentication Successful URL must be: 

    http://host:port/openspace/sso/bpmssoapp.html

    where host is the DNS name or IP address of the server that hosts the ActiveMatrix BPM runtime, and port is the port used by the application.

    Although the Authentication Successful URL is used for all ActiveMatrix BPM applications, the response from the IdP is routed to the appropriate ActiveMatrix BPM application based on an interceptor script (bpm-sso-interceptor.min.js) that is included in the application that submitted the request to the IdP (for more information about the interceptor script, see Using SAML Web Profile Authentication with Custom Applications).

  7. Upon receiving the user validation from the IdP, the application redirects the request back to the ActiveMatrix BPM server to confirm that the user is a valid ActiveMatrix BPM user before logging the user into the application.

A cookie is also created when the user is validated by the ActiveMatrix BPM server. The cookie is used to establish the session that is used by all subsequent calls to the ActiveMatrix BPM server.

When an IdP-authenticated user logs out of an ActiveMatrix BPM application:

  • The user is logged out as follows, depending on the setting of the Local Logout option in the SAML Web Profile configuration:
    • If the Local Logout option is selected, the user is logged out of any currently open ActiveMatrix BPM applications.
    • If the Local Logout option is not selected, the user is logged out of any currently open ActiveMatrix BPM applications, plus the user is logged out of the IdP.
  • The user is redirected to the login page for the application that was logged out of. If for some reason the user cannot be redirected to that application's login page, the user is instead redirected to the URL specified in the Logout Successful URL field in the SAML configuration.
  • The cookie that was created upon login is removed.