SAML Web Profile Authentication

If your TIBCO BPM Enterprise application is configured to use SAML Web Profile for authentication, users of your application can log in using a user name and password issued by an Identity Provider (IdP) that supports SAML Web Profile.

The following describes the basic flow when someone attempts to log in to a TIBCO BPM Enterprise application, which is configured to use SAML Web Profile, using their IdP credentials (this assumes the user is not already logged in to TIBCO BPM Enterprise):

  1. A user starts an TIBCO BPM Enterprise application that is using SAML Web Profile authentication.
  2. The application tries to access the TIBCO BPM Enterprise server, but the login module determines that the user is not authenticated, and that authentication is being provided by SAML Web Profile.
  3. The application redirects the login request to the IdP.
  4. The IdP displays a login screen (for example, Google's login screen), requesting the user's IdP-issued credentials.
  5. The user enters their IdP-issued credentials.
  6. Upon receiving the user validation from the IdP, the application redirects the request back to the TIBCO BPM Enterprise server to confirm that the user is a valid TIBCO BPM Enterpriseuser before logging the user into the application.

A cookie is also created when the user is validated by the TIBCO BPM Enterprise server. The cookie is used to establish the session that is used by all subsequent calls to the TIBCO BPM Enterprise server.

When an IdP-authenticated user logs out of an TIBCO BPM Enterprise application:

  • The user is redirected to the login page for the application that was logged out of. When the request is redirected to <domain>/apps/login/index.html, the Login page checks if there is already an authenticated session. If there is no authenticated session, it forwards the request to the SAML IdP provider login page (if the user is not authenticated with the IdP).
  • The cookie that was created upon login is removed.