Creating or Editing an OpenID Authentication Shared Resource
OpenID Authentication shared resources can be created or edited using the TIBCO BPM Enterprise Administrator.
- Procedure
- From the
TIBCO BPM Enterprise Administrator screen, select
Shared Resources Manager.
- From the Shared Resources List in the left pane, select
OpenID authentication.
- Expand OpenID authentication menu and click
to add a new shared resource, or select an existing shared resource to edit it.
- Configure the OpenID Authentication shared resource using the following descriptions.
Definition Property Description Name (Required) The unique name of the OpenID Authentication shared resource. The name value is case insensitive. Description A description of the OpenID Authentication shared resource. Grant Type Defines the type of the token flow request.
TIBCO BPM Enterprise supports the following grant types:
-
Authorization Code: This grant type includes the exchange of an authorization code to authenticate API access. Authorization code is for browser (user) SSO access to TIBCO BPM Enterprise.
-
Client Credentials: This grant type includes the exchange of application credentials, such as client ID and client secret, to authenticate API access. Client credentials is for TIBCO BPM Enterprise to access third party services from a REST service task in a process using SSO.
Authorization Code Client ID (Required) The ID that identifies the client at the Identity Provider (IdP). This and Client Secret are obtained from the IdP when the client registers an application with the IdP to provide authentication for users. Client secret (Required) The password for the Client ID account. User Key (Optional) Specifies the claim that is used to identify the user token from the list of claims that are returned from the IdP (based on the Auth scope). By default, User Key is the user's email address. Auth Scope (Read-Only) Defines the claims to be returned by the IdP when the IdP authenticates the user and issues an ID Token. These claims are user attributes that provide the application with the user details.
Auth scope openid email is supported.
Enabled Select this checkbox to enable the OpenID Authentication shared resource for Single Sign-On use. Currently, only one OpenID Authentication shared resource can be enabled. Note: At any point, only the SSO related shared resource can be enabled, that is, either SAML or OpenID.Client Credentials
Invocation Type
Select the following type of invocation from the dropdown list:
-
Inbound: To access TIBCO BPM Enterprise APIs from third-party server.
Note: Inbound invocation type is not supported for this release. -
Outbound: To access third-party APIs from TIBCO BPM Enterprise server.
Client ID
(Required) The ID that identifies the client at the Identify Provider (IdP). This, and the Client Secret (see below), are obtained from the IdP when the client registers an application with the IdP to provide authentication for users. Client Secret
(Required) The password for the Client ID account. 
URI Property Description Access token URI (Required) The REST OpenID token service URI, which is provided by the IdP. It is used to obtain an ID Token for the authenticated user. Redirect URI (Required) The URI to which the IdP will send the ID Token after authentication.
The Redirect URI appends the BPME server base URL with the user-defined configured path.
So, if the BPME server base URL is https://localhost:8443, then the user can configure the redirect uri as https://localhost:8443/google-login, where google-login is the configured path. The system then dynamically hosts https://localhost:8443/google-login as the endpoint.
Ensure that the path is not hierarchical, such as googlelogin/subpath1/subpath2.
Authorization URI (Required) The REST OpenID user claims/information service URI, which is used to obtain user profile information. JSON web keyset URI (Required) The URI to the JSON Web Key Set (JWKS), which is a JSON data structure that represents a set of public keys used to verify the signature of the JSON Web Token (JWT) issued by the IdP. 
-
- Click
Save.
Note: You do not need to restart OpenID shared resource in the case of the OpenID client credentials outbound flow.