Authentication
All access to TIBCO BPM Enterprise requires an authenticated user, whether that access is through run-time user interfaces, web service APIs, deployment or other supported access mechanisms.
Users must be registered with TIBCO BPM Enterprise via the Organization Browser - see Organization Model and Resource Management.
TIBCO BPM Enterprise supports the following methods to authenticate users:
- Basic authentication - Basic authentication requires the calling application to provide valid
TIBCO BPM Enterprise login credentials when calling a
TIBCO BPM Enterprise service. This is the default authentication method used by
TIBCO BPM Enterprise.
The type of Basic authentication to use depends on the type of interface you are using:
- REST API
An API call to the REST API must include a
UsernameToken
in the header, which specifies the username and password of the user on whose behalf the call is being made. This uses SecurityUsernameToken
Profile 1.0.A TIBCO BPM Enterprise LDAP authentication provider resource instance (for example,
amx.bpm.auth.easyAs
) is also required, which validates:- the supplied username against the BPM organization model.
- the supplied password against the LDAP entity represented by that BPM user.
Note: For a secure communication TIBCO BPM Enterprise needs to be front ended with a load balancer or proxy with HTTPS enabled.The sample client applications provided with TIBCO BPM Enterprise implement direct authentication using a
UsernameToken
.
- REST API
- Single sign-on (SSO) authentication - With SSO authentication, a user who already has a login session with the client application does not need to provide login credentials again when calling a
TIBCO BPM Enterprise service (provided that their credentials are also valid for logging in to
TIBCO BPM Enterprise).
Different types of SSO authentication can be used, depending on the API or client you are using:
- SAML Web Profile
- OpenID Connect
For additional information, as well as the APIs and clients that support each of these SSO types, see Introduction to Single Sign-On Authentication.
For additional information, as well as the APIs and clients that support each of these SSO types, see TIBCO BPM Enterprise Administrator's guide.