OpenID Connect Authentication
If your TIBCO BPM Enterprise application is configured to use OpenID Connect, users of your application can log in using a user name and password issued by an Identity Provider (IdP) that supports OpenID Connect.
The following describes the basic flow when someone attempts to log in to an TIBCO BPM Enterprise application, which is configured to use OpenID Connect, using their IdP credentials (this assumes the user is not already logged in to TIBCO BPM Enterprise):
- A user starts a TIBCO BPM Enterprise application that is using OpenID Connect authentication.
- The application tries to access the TIBCO BPM Enterprise server, but the login module determines that the user is not authenticated, and that authentication is being provided by OpenID Connect.
- The application redirects the login request to the IdP.
- The IdP displays their login screen, requesting the user's IdP-issued credentials.
- The user enters IdP-issued credentials.
- After validating the user, the IdP returns an ID Token — in the form of a JSON Web Token (JWT) — to indicate a successful authentication.
The response from the IdP also includes the claims specified in the Auth Scope field of the OpenID Authentication shared resource.
The IdP sends the ID Token and claims information to the "Redirect URI" that is specified in the OpenID Connect shared resource.
- Upon receiving the ID Token from the IdP, the application redirects the request back to the TIBCO BPM Enterprise server to confirm that the user is a valid TIBCO BPM Enterprise user before logging the user into the application.
A cookie is also created when the user is validated by the TIBCO BPM Enterprise server. The cookie includes the ID Token, which is used to establish the session that is used by all other subsequent calls to the TIBCO BPM Enterprise server.
When an IdP-authenticated user logs out of the TIBCO BPM Enterprise application: