Authentication

An authenticated user is required to access TIBCO BPM Enterprise. Users must be registered with the TIBCO BPM Enterprise Directory Engine via the Organization Browser.

TIBCO BPM Enterprise supports the following types of authentication:

  • Basic Authentication- The credentials used for authentication are obtained from the HTTP request in the form of a user name and password. The user name and password are authenticated against an LDAP.
  • SAML Web Profile - If your TIBCO BPM Enterprise application is configured to use SAML Web Profile for authentication, users of your application can log in using a user name and password issued by an Identity Provider (IdP) that supports SAML Web Profile.
  • OpenID Connect - If your TIBCO BPM Enterprise application is configured to use OpenID Connect, the users can log in with a user name and password issued by an Identity Provider (IdP) that supports OpenID Connect.

Authentication Process

TIBCO BPM Enterprise contains a login module for each of the available types of authentication; basic, SAML Web Profile, and OpenID Connect. When a TIBCO BPM Enterprise HTTP endpoint is accessed, the appropriate login module handles the user authentication by performing the following steps:

  1. The system checks for a current user session, and whether or not it has expired. If a current user is in session, the HTTP request is processed.
  2. If there is no current user session, a check is made to determine if TIBCO BPM Enterprise is configured for basic authentication. Basic authentication is HTTP basic authentication. In HTTP basic authentication, the principal's credentials are passed in the HTTP Authorization request header.

    The basic authentication login module extracts the principal from the HTTP authorize header (if it is available) and searches for the user in TIBCO BPM Enterprise system. If the user exists in TIBCO BPM Enterprise, the system returns details of the user, including the primary LDAP to be used for authentication purposes.

    Basic authentication is configured using an HTTP Client Shared Resource defined in TIBCO BPM Enterprise Administrator.

  3. If basic authentication is not used or fails, the system checks if TIBCO BPM Enterprise is configured for Single Sign-On (SSO) authentication (SAML Web Profile or OpenID Connect). SSO authentication must be configured if a basic authentication is not configured. Also, only one of the SSO authentication type configurations is supported across all in-bound TIBCO BPM Enterprise REST APIs at a given time (although, both types can be configured, only one can be enabled at a time).

    Depending on which SSO authentication type is configured, control is handed over to the appropriate login module (SAML Web Profile or OpenID Connect), which uses the appropriate shared resource configuration defined in TIBCO BPM Enterprise Administrator.

    After SSO authentication is completed, an authorization check is performed to ensure that the user exists in TIBCO BPM Enterprise. This is done by looking up the user in Directory Engine. If this is successful, the user is considered as authentic and an HTTP session is created.