SAML Web Profile Authentication

If your TIBCO BPM Enterprise application is configured to use SAML Web Profile for authentication, users can log in with a username and password issued by an IdP that supports SAML Web Profile. TIBCO BPM Enterprise supports Google and simpleSAMLphp SAML IdP.

Note: Ensure that the resource registered with your IdP is added to the LDAP.

Perform the following procedure to ensure that SAML authentication works with your registered users:

  1. Set up your preferred SAML Idp to download to your local machine. For more information, visit the website of your IdP provider.

  2. Configure your SAML Idp. For more information about configuring a SAML shared resource, see SAML Authentication Shared Resources.

  3. Ensure that the user whose login credentials are registered with the Idp is also added to the LDAP Container. For more information, see the Configure the LDAP Directory Server topic in the TIBCO BPM Enterprise Installation Guide.

The following steps describe the basic flow when a user attempts to log in to a TIBCO BPM Enterprise application, which is configured to use SAML Web Profile, using their IdP credentials. In this scenario, the user is not already logged in toTIBCO BPM Enterprise.

  1. The user starts a TIBCO BPM Enterprise application that is using SAML Web Profile authentication.
  2. The application tries to access the TIBCO BPM Enterprise server, but the login module determines that the user is not authenticated and that authentication is provided by SAML Web Profile.
  3. The application redirects the login request to the IdP.
  4. The IdP displays a login screen (for example, Google's login screen), requesting the user's IdP-issued credentials.
  5. The user enters their IdP-issued credentials.
  6. Upon receiving the user validation from the IdP, the application redirects the request to the TIBCO BPM Enterprise server to authenticate the user before logging the user in to the application.

A cookie is also created when the user is validated by the TIBCO BPM Enterprise server. The cookie is used to establish the session that is used by all subsequent calls to the TIBCO BPM Enterprise server.

The following steps describe the events that occur when an IdP-authenticated user logs out of a TIBCO BPM Enterprise application:

  • The user is redirected to the login page for the application. When the request is redirected to <domain>/apps/login/index.html, the login page checks for an existing authenticated session. If there is no authenticated session, it forwards the request to the SAML IdP provider login page (if the user is not authenticated with the IdP).
  • The cookie that was created upon login is removed.