Authentication

All access to TIBCO BPM Enterprise requires the use of an authenticated user. Users must be registered with the TIBCO BPM Enterprise Directory Engine, which is done via the Organization Browser.

TIBCO BPM Enterprise supports the following types of Authentication:

  • Basic Authentication- The credentials used for authentication is obtained from the HTTP request in the form of user name and password. The user name and password are authenticated against an LDAP.
  • SAML Web Profile - If your TIBCO BPM Enterprise application is configured to use SAML Web Profile for authentication, users of your application can log in using a user name and password issued by an Identity Provider (IdP) that supports SAML Web Profile.
  • OpenID Connect - If your TIBCO BPM Enterprise application is configured to use OpenID Connect, users of your application can log in using a user name and password issued by an Identity Provider (IdP) that supports OpenID Connect.

Authentication Process

TIBCO BPM Enterprise contains a login module for each of the available types of authentication -- basic, SAML Web Profile, and OpenID Connect. When a TIBCO BPM Enterprise HTTP endpoint is accessed, the appropriate login module handles the user authentication using the following process:

  1. The system checks to see if there is a current user session, and if so, that it hasn't expired. If this is true, the HTTP request is processed.
  2. If there is no current user session, a check is made to determine if TIBCO BPM Enterprise is configured for basic authentication. This can be either HTTP basic authentication or forms-based authentication. Only one of these types of basic authentication can be used, as they are mutually exclusive. (In HTTP basic authentication, the principal's credentials are passed in the HTTP Authorization request header; in forms-based authentication, the principal's credentials are passed in the request payload.)

    The basic authentication login module extracts the principal from the HTTP authorize header (if it is available), and does a lookup f the user up in Directory Engine. If the user is known to Directory Engine. it returns details of the user, including the primary LDAP to be used for authentication purposes. The basic authentication login module then attempts to perform a bind operation on the appropriate LDAP with the user's credentials.

    For forms-based authentication, the principle and password are extracted from the request payload. The principle is then looked up in Directory Engine and authenticated against the LDAP in an identical manner to that used for HTTP basic authentication.

    Basic authentication is configured using an HTTP Client Shared Resource defined in TIBCO BPM Enterprise Administrator.

  3. If basic authentication is not used, or fails, the system checks to see if TIBCO BPM Enterprise is configured for Single Sign-On (SSO) authentication -- either SAML Web Profile or OpenID Connect. SSO authentication must be configured if basic authentication is not configured. Also, only one of the SSO authentication type configurations is supported across all in-bound TIBCO BPM Enterprise REST APIs at any one time (although both types can be configured, only one can be enabled at one time).

    Depending on which SSO authentication type is configured, control is handed off to the appropriate login module -- SAML Web Profile or OpenID Connect -- which uses the appropriate shared resource configuration defined in TIBCO BPM Enterprise Administrator.

    After SSO is successfully completed, an authorization check is then performed to ensure that the user is known to TIBCO BPM Enterprise. This is done by looking up the user in Directory Engine to ensure that the user is a valid BPM user. If this is successful, the user is considered authenticated and an HTTP session is created.