Configure IdP

In the TIBCO Platform Console, you can configure to use your Corporate IdP instead of the built-in Default IdP. This allow users to use Single Sign-On and the same Security Policies as your organization. TIBCO Platform Console acts as a Service Provider (SP) that authenticate users against your configured SAML2-compliant Identity Provider.

Before you begin
  • For provider details, Entity ID URLs of the identity provider and service provider are required.
  • IdP Upload Certificates to trust is the certificate service provider should trust from IdP (to ensure mutual trust has been established).
    Procedure
  1. Go to User Management > Configure IdP and click Configure Corporate IdP. You can also navigate Configure IdP from the Home page. Click the Configure IdP button on the Configure IdP card.
  2. On the Provider Details, select the host from the dropdown list. Enter the Identity provider's entity ID and the Service provider's entity ID. Then, enter the comments (optional) and click Next.
  3. On the Sign-On and Logout, provide the following details and click Next.
    FieldDescription
    Sign On
    • Enter the IdP's Single Sign-On URL. Users are redirected to this URL when they are logging in.

    • Select the POST or Redirect Binding method for SSO requests.

    • Select the checkbox so IdP encrypts the SAML assertion inside the signed response.

    Logout

    To issue a Single Logout (SLO) call to the IdP when signing out of the TIBCO Control Plane, select the checkbox.

    • Enter the Idp's Single Logout URL.

    • Select the POST or Redirect Binding method for the SLO request.

  4. Certificates that are mutually trusted establish the identities of the Identity Provider (IdP) and the Service Provider (SP). On the Certificates, the Service Provider Certificate is selected as Generated by Control Plane by default. Sign requests is also checked by default, which sends a signed authentication request to the IdP. You can select the signature algorithm to use from the dropdown menu.

    Upload the IdP certificates to trust. Upon uploading, you view, delete, or download the certificate. You can upload up to 3 certificates.

  5. Note: Only certificates with .pem file extension are allowed to upload. For example, okta.pem.

    By default, the Service Provider Certificate is generated from the Control Plane. Click Next.

  6. On the Groups, you need to configure the groups from your IdP that are displayed in the SAML assertion. Enter the group details such as First Name, Last Name, Email, and USER ID/ Subject for SAML assertion. For example, you can add details such as manager, department, location and so on.

    Enter the group names for role-based access control (RBAC). To add a new group name, click Add New. You can specify one or more groups (max 10) from your IdP that are expected in the SAML assertion and map those values when assigning permissions. Click Submit.

ResultUpon submitting, you can view the successfully Configured Corporate IdP. Click Go to Configured IdP to see it in the Corporate IdP list. You have to download or copy the (.json) metadata file and upload it to your IdP server. Click OK.
What to do next

After configuring IdP from Platform Console, you can sign in to TIBCO Control Plane by using your corporate email Id.

Viewing Corporate idP Details

You can view a list of all corporate configured IdPs in the Corporate IdP table. The Corporate IdP table displays the following information: Host Prefix, IdP ID, Service Provider ID, Required for all users.

You can enable or disable default IdP for all user by using the toggle button Required for all users. By default, this is disabled. That means users can sign in by using corporate IdP or default IdP.

To view the details of a configured corporate IdP, click the expand icon.

You can also perform the following task in the Corporate IdP table.

Update the Configured Corporate IdP

To update the Configured Corporate IdP, click the vertical ellipsis icon and follow the above procedure.

Note: While updating the configured corporate IdP, you cannot select the host prefix. But, you can edit all other fields if required.

Copy the Configured Corporate IdP

Each Control Plane (host) needs to have its own configuration of the Corporate IdP because the URLs are different. Rather than starting from scratch, you can copy an existing configuration and change the parameters as needed. The applicable host has to be different. To copy the Configured Corporate IdP, click the vertical ellipsis icon and complete the procedure.

Note: Upon copying, the Configure Corporate IdP form fields get auto-filled but you can edit them if required.

Delete the Configured Corporate IdP

To delete the Configured Corporate IdP, click the vertical ellipsis icon. The Delete Corporate IdP popup window opens. Enter the required comment. To delete the entire configured corporate IdP history, click the Delete history checkbox, and click Delete.