Adding an Authentication Source
To add an authentication source, perform the following steps:
1. | On the System Settings tile, click User Authentication Configuration. |
2. | Click the Add icon in the User Authentication Configuration page. The following types of authentication sources are available: |
-
LDAP Server
-
OIDC Server
-
BC Database
Note: By default, the BC Database is available on the User Authentication Configuration page whereas the LDAP server is displayed in the Source Alias column after you configure it.
-
LDAP Server
-
BC Database
LDAP Server
In the New Ldap Server dialog, enter the following information:
LDAP Server Settings
Field | Description | ||||||
---|---|---|---|---|---|---|---|
Alias | Alias name for the LDAP server. | ||||||
Host Name | The IP address or name of the machine on which the LDAP server is deployed. | ||||||
Port Number | The port number used for connecting to LDAP. | ||||||
Bind DN and Bind Password |
The LDAP server's Bind DN. The base DN is an X.500 distinguished name, which
denotes the sub-tree of an LDAP directory where the to-be-authenticated user
records are posted, such as: The Bind DN provided can be an LDAP user that has both read and write permissions to LDAP. The user needs permission to:
Authenticate other users to LDAP (that is, call the LDAP authenticate API or have read access to the password/credentials of LDAP user objects). |
||||||
Base DN | Added prior to Bind DN when searching for users. This is the starting point in the LDAP hierarchy at which the search begins. | ||||||
User Search Filter |
You can specify a user search filter and only users that have the specified attribute are returned. Using the defaults for the user search filters, all users are returned. For example: • Base DN: • User Search Filter: |
||||||
User Name Attribute |
Provide the LDAP attribute name that represents the user name in the LDAP directory server. It is good practice to use the value of |
||||||
User to Group or Role Membership Attribute |
Provide the LDAP attribute that represents the User to Group (or Role) membership attribute in the LDAP directory server. The value for this attribute lists the Groups or Role the user is enrolled for the DN. Note: Different LDAP servers have different User to Group or Role membership
attributes. For example, specify the value of memberOf for the Open LDAP server
or Microsoft Active Directory LDAP server, nsrolsedn for the Sun ONE LDAP
server, and ibm-allGroups for the IBM Tivoli Directory Server.
|
||||||
isSecure | Select this checkbox to check whether this is a secure LDAP URL. | ||||||
isEnabled |
Select this checkbox to check whether the LDAP connection is enabled. No operations are permitted for disabled connections. |
||||||
isReadOnly | Select this checkbox to check whether the LDAP connection has Read Only permission. Read-only LDAP connections permit only read operations. However, read-only LDAP connections can update passwords. | ||||||
Server Certificate | The server certificate used for secure LDAP communication. Select one of the certificates that was configured under System Settings > Certificate Store > Server Identities & Certificates. | ||||||
Test Connection |
Click the Test Connection tab to verify whether the connection works. If the test is not successful, review the configuration steps. |
For more information about the LDAP Role BaseDN Attribute, see Activate Protocol Plug-Ins, LDAP Configuration.
BC Database
The BC Database option is added by default when a user chooses it and uses it as a source of user information.
OIDC Server
In the New OIDC Server dialog, enter the following information:
OIDC Server Settings
Field | Description |
---|---|
Server Name | Enter a server name. |
Server Role | Select the server role from the dropdown list. Server role lists all the roles of TIBCO BusinessConnect Container Edition, including the default admin role and all the roles you have created. |
Token URL | Enter the token URL of an SSO provider. This URL is provided by the SSO service provider. |
Client ID | Enter a unique ID for your application. It is a public key that is used to authenticate your application enabled with SSO. |
Authorization URL | Enter the authorization URL of an SSO provider. It is the URL where the delegated authentication occurs. |
Client Secret | Enter a secret key for your application. It is a private key used to authenticate the application to the authorization server. |
isReadOnly | Select this checkbox to check whether the OIDC connection has Read Only permission. Read-only OIDC connections permit only read operations. However, read-only OIDC connections can update passwords. |
isEnabled |
Select this checkbox to check whether the OIDC connection is enabled. No operations are permitted for disabled connections. |
isSecure | Select this checkbox to check whether this is a secure OIDC URL. |
Authentication Source Defaults
The added and configured authentication sources are displayed in the Source Alias column. TIBCO BusinessConnect Container Edition uses the sources to authenticate the external users as per the order in which all the sources are listed or as per the status of the source (enabled or disabled).
For example, if you add BC Database and then LDAP as authentication sources, BCDB (the BC Database alias) is listed first in the Source Alias column and LDAP is listed second in the Source Alias column.
When authenticating external users, TIBCO BusinessConnect Container Edition uses BCDB first. If authentication fails with that source, TIBCO BusinessConnect Container Edition retries the authentication using LDAP.
You can use Move Up and Move Down options or drag and drop the sources in the Source Alias column to adjust the priority of the authentication source.