Authentication

All access to TIBCO BPM Enterprise requires an authenticated user, whether that access is through run-time user interfaces, web service APIs, deployment or other supported access mechanisms.

Users must be registered with TIBCO BPM Enterprise via the Organization Browser - see Organization Model and Resource Management.

TIBCO BPM Enterprise supports the following methods to authenticate users:

  • Basic authentication - Basic authentication requires the calling application to provide valid TIBCO BPM Enterprise login credentials when calling a TIBCO BPM Enterprise service. This is the default authentication method used by TIBCO BPM Enterprise.

    The type of Basic authentication to use depends on the type of interface you are using:

    • REST API

      An API call to the REST API must include a UsernameToken in the header, which specifies the username and password of the user on whose behalf the call is being made. This uses Security UsernameToken Profile 1.0.

      A TIBCO BPM Enterprise LDAP authentication provider resource instance (for example, amx.bpm.auth.easyAs) is also required, which validates:

      • the supplied username against the BPM organization model.
      • the supplied password against the LDAP entity represented by that BPM user.

      Note: For a secure communication TIBCO BPM Enterprise needs to be front ended with a load balancer or proxy with HTTPS enabled.

      The sample client applications provided with TIBCO BPM Enterprise implement direct authentication using a UsernameToken.

  • Single sign-on (SSO) authentication - With SSO authentication, a user who already has a login session with the client application does not need to provide login credentials again when calling a TIBCO BPM Enterprise service (provided that their credentials are also valid for logging in to TIBCO BPM Enterprise).

    Different types of SSO authentication can be used, depending on the API or client you are using:

    • SAML Web Profile
    • OpenID Connect

    For additional information, as well as the APIs and clients that support each of these SSO types, see Introduction to Single Sign-On Authentication.

    For additional information, as well as the APIs and clients that support each of these SSO types, see TIBCO BPM Enterprise Administrator's guide.