Adding an Authentication Source

To add an authentication source, perform the following steps:

1. On the System Settings tile, click User Authentication Configuration.
2. Click the Add icon in the User Authentication Configuration page.
The following types of authentication sources are available:
For Internal Users
  • LDAP Server

  • OIDC Server

  • BC Database

    Note: By default, the BC Database is available on the User Authentication Configuration page whereas the LDAP server is displayed in the Source Alias column after you configure it.
For External Users
  • LDAP Server

  • BC Database

LDAP Server

In the New Ldap Server dialog, enter the following information:

 

LDAP Server Settings

Field Description
Alias Alias name for the LDAP server.
Host Name The IP address or name of the machine on which the LDAP server is deployed.
Port Number The port number used for connecting to LDAP.
Bind DN and Bind Password

The LDAP server's Bind DN. The base DN is an X.500 distinguished name, which denotes the sub-tree of an LDAP directory where the to-be-authenticated user records are posted, such as: ou=people,dc=unit,dc=company

The Bind DN provided can be an LDAP user that has both read and write permissions to LDAP. The user needs permission to:

Read and write LDAP user objects
Read and write LDAP group objects

Authenticate other users to LDAP (that is, call the LDAP authenticate API or have read access to the password/credentials of LDAP user objects).

Base DN Added prior to Bind DN when searching for users. This is the starting point in the LDAP hierarchy at which the search begins.
User Search Filter

You can specify a user search filter and only users that have the specified attribute are returned. Using the defaults for the user search filters, all users are returned. For example:

• Base DN: dc=na,dc=tibco,dc=com

• User Search Filter: objectclass=person

User Name Attribute

Provide the LDAP attribute name that represents the user name in the LDAP directory server.

It is good practice to use the value of cn for all the supported LDAP servers.

User to Group or Role Membership Attribute

Provide the LDAP attribute that represents the User to Group (or Role) membership attribute in the LDAP directory server. The value for this attribute lists the Groups or Role the user is enrolled for the DN.

Note: Different LDAP servers have different User to Group or Role membership attributes. For example, specify the value of memberOf for the Open LDAP server or Microsoft Active Directory LDAP server, nsrolsedn for the Sun ONE LDAP server, and ibm-allGroups for the IBM Tivoli Directory Server.
isSecure Select this checkbox to check whether this is a secure LDAP URL.
isEnabled

Select this checkbox to check whether the LDAP connection is enabled.

No operations are permitted for disabled connections.

isReadOnly Select this checkbox to check whether the LDAP connection has Read Only permission. Read-only LDAP connections permit only read operations. However, read-only LDAP connections can update passwords.
Server Certificate The server certificate used for secure LDAP communication. Select one of the certificates that was configured under System Settings > Certificate Store > Server Identities & Certificates.
Test Connection

Click the Test Connection tab to verify whether the connection works.

If the test is not successful, review the configuration steps.

Note: The distinguished name of an LDAP entry that contains role entries must be set.

For more information about the LDAP Role BaseDN Attribute, see Activate Protocol Plug-Ins, LDAP Configuration.

BC Database

The BC Database option is added by default when a user chooses it and uses it as a source of user information.

OIDC Server

In the New OIDC Server dialog, enter the following information:

 

OIDC Server Settings

Field Description
Server Name Enter a server name.
Server Role Select the server role from the dropdown list. Server role lists all the roles of TIBCO BusinessConnect Container Edition, including the default admin role and all the roles you have created.
Token URL Enter the token URL of an SSO provider. This URL is provided by the SSO service provider.
Client ID Enter a unique ID for your application. It is a public key that is used to authenticate your application enabled with SSO.
Authorization URL Enter the authorization URL of an SSO provider. It is the URL where the delegated authentication occurs.
Client Secret Enter a secret key for your application. It is a private key used to authenticate the application to the authorization server.
isReadOnly Select this checkbox to check whether the OIDC connection has Read Only permission. Read-only OIDC connections permit only read operations. However, read-only OIDC connections can update passwords.
isEnabled

Select this checkbox to check whether the OIDC connection is enabled.

No operations are permitted for disabled connections.

isSecure Select this checkbox to check whether this is a secure OIDC URL.

Authentication Source Defaults

The added and configured authentication sources are displayed in the Source Alias column. TIBCO BusinessConnect Container Edition uses the sources to authenticate the external users as per the order in which all the sources are listed or as per the status of the source (enabled or disabled).

For example, if you add BC Database and then LDAP as authentication sources, BCDB (the BC Database alias) is listed first in the Source Alias column and LDAP is listed second in the Source Alias column.

When authenticating external users, TIBCO BusinessConnect Container Edition uses BCDB first. If authentication fails with that source, TIBCO BusinessConnect Container Edition retries the authentication using LDAP.

You can use Move Up and Move Down options or drag and drop the sources in the Source Alias column to adjust the priority of the authentication source.