OpenID Connect Authentication

If your TIBCO BPM Enterprise application is configured to use OpenID Connect, users of your application can log in using a username and password issued by an Identity Provider (IdP) that supports OpenID Connect. TIBCO BPM Enterprise supports Google and PingID® OpenId IdP.

Note: Ensure that the resource registered with your IdP is added to the LDAP.

Perform the following steps to ensure that OpenId authentication works with your registered users:

  1. Set up your preferred OpenId IdP to download to your local machine. For more information, visit the website of your IdP provider.

  2. Configure your OpenId IdP. For more information about configuring an OpenID authentication shared resource, see OpenID Authentication Shared Resources.

  3. Ensure that the user whose login credentials are registered with the IdP is also added to the LDAP container. For more information, see the Configure the LDAP Directory Server topic in the TIBCO BPM Enterprise Installation Guide.

The following steps describe the basic flow when someone attempts to log in to a TIBCO BPM Enterprise application, which is configured to use OpenID Connect, using their IdP credentials. In this scenario, the user is not already logged in to TIBCO BPM Enterprise.

  1. The user starts a TIBCO BPM Enterprise application that is using OpenID Connect authentication.
  2. The application tries to access the TIBCO BPM Enterprise server, but the login module determines that the user is not authenticated and that authentication is being provided by OpenID Connect.
  3. The application redirects the login request to the IdP.
  4. The IdP displays a login screen, requesting the user's IdP-issued credentials.
  5. The user enters IdP-issued credentials.
  6. After validating the user, the IdP returns an ID token in the form of a JSON Web Token (JWT) to indicate a successful authentication.

    Note: OpenID Access Token is not currently supported, but the login module determines that the user is not authenticated and that authentication is being provided. The OpenID ID Token is used to identify the user.

    The response from the IdP also includes the claims specified in the Auth Scope field of the OpenID Authentication shared resource.

    The IdP sends the ID Token and claims information to the "Redirect URI" that is specified in the OpenID Connect shared resource.

  7. On receiving the ID token from the IdP, the application redirects the request to the TIBCO BPM Enterprise server to authenticate the user before logging in to the application.

A cookie is also created when the user is validated by the TIBCO BPM Enterprise server. The cookie includes the ID Token, which is used to establish the session that is used by all other subsequent calls to the TIBCO BPM Enterprise server.

The following steps describe the events that occur when an IdP-authenticated user logs out of a TIBCO BPM Enterprise application:

  • The browser sends the value in the Logout path property to the TIBCO BPM Enterprise server. (When a user logs out of the TIBCO BPM Enterprise application, the user does not log out of the IdP but only invalidates the client session.)
  • The cookie that was created on login, is removed.

Note: At a given point, only a single SSO related shared resource can be enabled, SAML, or OpenID.