Creating or Editing a SAML Authentication Shared Resource

SAML Authentication shared resources can be created or edited using the TIBCO BPM Enterprise Administrator.

Procedure

  1. From the TIBCO BPM Enterprise Administrator, select Shared Resources Manager.
  2. From the list in the left pane, select SAML Authentication.
  3. Click .
  4. Configure the SAML Authentication shared resource using the following descriptions.
    Definition
    Property Description
    Name (Required) The unique name of the SAML Authentication shared resource. The name value is case insensitive.
    Description A description of the SAML Authentication shared resource.
    Entity Id (Required) A unique ID that identifies the service provider and application that has been registered with an IdP. This must match the ID that was configured at the IdP.
    IDP metadata source (Required) Specifies the source of the metadata file from the IdP. The valid entries are:
    • IDP_HTTP_META_DATA_URL
    • IDP_STRING_META_DATA
    IDP metadata URL (Required) This specifies the URL to the IdP metadata file. This value is required if idpMetadataSource is set to IDP_HTTP_META_DATA_URL.
    Response skew time Specifies, in seconds, the maximum difference allowed between the clocks of the IdP and the TIBCO BPM Enterprise server.

    Default: 60

    Max authentication age Specifies, in seconds, the maximum time an authentication will remain valid.

    Default: 5400

    Note: 'Max authentication age' value should match with 'Session duration' set on the IDP. For example, 'max Authentication Age' should have a larger value than what a user sets for 'Session never expire' in the Google IDP while configuring the SAML shared resource (for example, 30 days means 2592000 seconds).
    IDP login URL (Required) URL to initiate a SAML login
    IDP SSO URL (Required) URL where SAML assertions are posted back by IdP
    Enabled Select to enable this SAML Authentication shared resource for Single Sign-On (SSO) use. Currently, only one SAML Authentication shared resource can be enabled.
    Note: At any point, only a single SSO related shared resource can be enabled, that is, either SAML or OpenID.
    Assertion consumer

    All fields on the Assertion consumer tab are required.

    Property Description
    Base URL The base URL.
    Scheme The HTTP scheme. For example 'http' or 'https'.
    Server name The server name.
    Server port The server port.
    Include server port in request URL Select this to include the server port in the request URL.
    Context path The context path.
    Advanced
    Property Description
    Sign authentication request Select to sign the authentication request.
    Sign assertions Select to sign assertions.
    Sign metadata Select to sign metadata.
    Encrypt Assertion Select to encrypt assertion.
    The following fields are displayed if any of the options above are selected.
    Key store Provider Name (Required) The name of the KeyStore Provider used for encrypting and signing.
    KeyAlias to encrypt The alias of the key used for encrypting.
    Key alias to encrypt password The password for the key used for encrypting.
    Key alias to sign The alias of the key used for signing.
    Key alias to sign password The password for the key used for signing. This value is always returned as null.
    Default key alias The alias of the default key.
    Default key alias password The password for the default key. This value is always returned as null.
  5. Click Save.