Configure IdP
TIBCO Platform supports connecting to corporate IdP instead of the built-in Default IdP. The two supported protocols are SAML and LDAP. SAML can be configured in TIBCO Platform console whereas LDAP in individual Control Plane subscription screens.
In SAML protocol, TIBCO Control plane is a Service Provider (SP) which initiates a login request to the IdP via the browser. The IdP responds with the SAML assertion, again via the browser. IdP-initiated login is not supported. For more information about how to construct a URL which can take you to Corporate IdP and then TIBCO Control Plane, see, Bookmarking URL to Bypass Landing Page.
Configuring SAML IdP
- For provider details, Entity ID URLs of the identity provider and service provider are required.
- IdP Upload Certificates to trust is the certificate service provider should trust from IdP (to ensure mutual trust has been established).
- You must have IdP Manager permission.
- Procedure
- In TIBCO Platform Console, go to User Management > Configure IdP and click Configure Corporate IdP. You can also navigate Configure IdP from the Home page. Click the Configure IdP button on the Configure IdP card.
- On the Provider Details, select the host from the dropdown list. Enter the Identity provider's entity ID and the Service provider's entity ID. Then, enter the comments (optional) and click Next.
-
On the Sign-On and Logout, provide the following details and click Next.
Field Description Sign On -
Enter the IdP's Single Sign-On URL. Users are redirected to this URL when they are logging in.
-
Select the POST or Redirect Binding method for SSO requests.
Expect encrypted payload from IdP If the checkbox is selected then either the SAML assertion or all SAML attributes must be encrypted by IdP, otherwise the login request will be rejected. Logout To issue a Single Logout (SLO) call to the IdP when signing out of the TIBCO Control Plane, select the checkbox.
-
Enter the Idp's Single Logout URL.
-
Select the POST or Redirect Binding method for the SLO request.
-
-
Certificates that are mutually trusted establish the identities of the Identity Provider (IdP) and the Service Provider (SP). On the Certificates, the Service Provider Certificate is selected as Generated by Control Plane by default. Sign requests is also checked by default, which sends a signed authentication request to the IdP. You can select the signature algorithm to use from the dropdown menu.
Upload the IdP certificates to trust. Upon uploading, you view, delete, or download the certificate. You can upload up to 3 certificates.
-
On the IdP Groups, you need to configure the IdP Groups from your IdP that are displayed in the SAML assertion. Enter the group details such as First Name, Last Name, Email, and USER ID/ Subject for SAML assertion. For example, you can add details such as manager, department, location and so on.
Enter the group names for role-based access control (RBAC). To add a new group name, click Add New. You can specify one or more IdP Groups (max 10) from your IdP that are expected in the SAML assertion and map those values when assigning permissions. Ensure all group names are 48 characters or less. Click Submit.
https://<adminHostPrefix>.<dnsDomain>/idm/acscallback.
Also logout URL must be https://<adminHostPrefix>.<dnsDomain>/idm/logout. .pem file extension are allowed to upload. For example, okta.pem.By default, the Service Provider Certificate is generated from the Control Plane. Click Next.
(.json) metadata file and upload it to your IdP server. Click OK.After configuring IdP from Platform Console, you can sign in to TIBCO Control Plane by using your corporate email Id.
Viewing Corporate IdP Details
You can view a list of all corporate configured IdPs in the Corporate IdP table. The Corporate IdP table displays the following information: Host Prefix, IdP ID, Service Provider ID, Required for all users.
You can enable or disable default IdP for all user by using the toggle button Required for all users. By default, this is disabled. That means users can sign in by using corporate IdP or default IdP.
To view the details of a configured corporate IdP, click the 
expand icon.
You can also perform the following task in the Corporate IdP table.
Update the Configured Corporate IdP
To update the Configured Corporate IdP, click the vertical ellipsis icon and follow the above procedure.
Copy the Configured Corporate IdP
Each Control Plane (host) needs to have its own configuration of the Corporate IdP because the URLs are different. Rather than starting from scratch, you can copy an existing configuration and change the parameters as needed. The applicable host has to be different. To copy the Configured Corporate IdP, click the vertical ellipsis icon and complete the procedure.
Delete the Configured Corporate IdP
To delete the Configured Corporate IdP, click the vertical ellipsis icon. The Delete Corporate IdP popup window opens. Enter the required comment. To delete the entire configured corporate IdP history, click the Delete history checkbox, and click Delete.
Configuring LDAP IdP
-
Your organization must have an LDAP directory. This directory must be accessible from the Control Plane.
-
Provide administrative user credentials. We query the LDAP directory using given credentials.
-
Group membership is captured only when a group has users. You can assign permissions to LDAP groups or users.
-
You must have IdP Manager permission in TIBCO Control Plane. See Permissions for details.
LDAP IdP Configuration Process
The IdP Manager configures the LDAP connection. This process is configurable for every Control Plane subscription. A successful connection and authentication test must pass before you save the configuration.
Configuration Parameters
The following table describes the LDAP IdP configuration parameters:
| Parameter | Description |
|---|---|
| Server URL | This is the LDAP server URL. Acceptable schemes are ldap and ldaps. For example: ldaps://server.example.com:3289. |
| Bind User DN | This is the Distinguished Name of a user. The system binds this user to the LDAP directory. It searches for users and groups and verifies credentials. |
| Bind User Password | This password is saved in the encrypted format in the database. You must provide it every time you modify the LDAP configuration. |
| Group Id Attribute | This attribute holds the group's name. The system passes this name to TIBCO Platform. A typical value is CN. |
| Group User Attribute | This attribute denotes member users. A typical value is member. |
| Sub Group Attribute | This attribute denotes other subgroups. Often, the value is member. |
| Groups Search Base DN | This is the starting point for searching groups. For example: dc=groups,dc=company,dc=com. |
| Group Search Expression | This LDAP search expression searches for groups that contain a given user. For example: (&(member={0})(objectClass=group)). |
| User Id Attribute | This is the user's ID attribute. For example: sAMAccountName. |
| User Search Base | This is the starting point for searching users. For example: dc=users,dc=company,dc=com. |
| User Search Expression | This LDAP search expression searches for the user with the given user ID. For example: (&(sAMAccountName={0})(objectClass=person)). |
| User Password Attribute | This is an optional attribute that contains the user's password. |
| Trusted Custom Certificates | This option is enabled only for the ldaps URL scheme. It applies only if the server presents a self-signed X.509 certificate or a certificate issued by a private Certificate Authority. You can add at most three certificates. |
| Test configuration | You use a username and password to test whether user credentials validate. These are not part of the configuration and are not persisted. The response shows the groups to which this user belongs. The response may truncate to fit the display. |