TIBCO® BPM API's available as API Explorer and ready to use Client Application Development Features.
Any Integration can be implemented using Server or Client-Side APIs from scratch.
Using the Client Application Development comes with a lot of Benefits, e.g.
- custom code simplification
- quick to learn and implement
- no need to learn all detailed API calls to achieve a goal
- officially supported
- quick execution
- minimize Project Risk
- API Explorer, available with and BPME 5.x Installation
- Server-Side API Documentation Link (4.3)
- Client-Side Object API Documentation (4.3) based on AngularJS
- Client-Side Business Component Services (4.3) & Business Components (4.3)
Single Sign-On (SSO)
This is a big topic and is not something that can be done effectively or securely without understanding the underlying mechanisms being employed. For SSO with TIBCO® BPM the following mechanisms are supported:
TIBCO BPM Enterprise 5.x supports the following types of Authentication:
- Basic Authentication- The credentials used for authentication is obtained from the HTTP request in the form of user name and password. The user name and password are authenticated against an LDAP.
- SAML Web Profile - If your TIBCO BPM Enterprise application is configured to use SAML Web Profile for authentication, users of your application can log in using a user name and password issued by an Identity Provider (IdP) that supports SAML Web Profile.
- OpenID Connect - If your TIBCO BPM Enterprise application is configured to use OpenID Connect, users of your application can log in using a user name and password issued by an Identity Provider (IdP) that supports OpenID Connect.
UI Side of Single Sign-On mechanisms
SPNEGO/Kerberos (Windows) and Siteminder work with web UI clients and therefore also with REST APIs. SPNEGO/Kerberos is primarily useful for browser support on a Microsoft platform. However, getting this working is hard. It is however a really neat way of doing SSO for end users if you have everything configured correctly and running a compatible browser on a windows box and authenticating against the same ActiveDirectory (AD) that is used by TIBCO ActiveMatrix® BPM 4.x for its LDAP. This configuration extensively depends on the way customers have implemented their AD architecture. Get someone who knows about this customer AD and Kerberos involved if you want a stress free implementation of this capability.
API Side of UI Side of Single Sign-On mechanisms
With TIBCO® BPM Enterprise 5.x users of your application can log in using a user name and password issued by an Identity Provider (IdP) that supports SAML Web Profile.
SAML and X509 as far as TIBCO ActiveMatrix® BPM 4.x is concerned are for SOAP only. From a client perspective, ADFS and WIF will do both. The thing to watch out for here is the certificate requirements. X509 is much more complex because the certificate management parts of this are hard and the management aspects of this technology may not be acceptable to customers. SAML is much easier to deal with. The SAML profile ActiveMatrix is using is "sender vouches", which means that an IDP is not needed, just the capability to sign messages in the required way is necessary.
The difficulties with all of this are not with ActiveMatrix® or ActiveMatrix® BPM 4.x or TIBCO BPM Enterprise 5.0, but simply because SSO authentication is a difficult topic. By far the simplest mechanism mentioned above is SAML with SOAP because it is "sender vouches". and only requires the sender to be able to appropriately sign the SOAP/REST messages, which only requires access to the correct certificate.
BTW, there is no option to just turn off authentication. This would be a terrible security vulnerability. Even the option to be able to turn this off would be considered a vulnerability.
SAML Validation in TIBCO® BPM Enterprise 5.x and TIBCO ActiveMatrix® BPM 4.x (AMX BPM) has 2 parts
Authentication:: BPM validates the user based on its SAML Token and would do the Authentication /Authorisation based on the SAML Token provided. This can create security threats as any user/application can create a SAML token and call the BPM Services, to overcome this issue the Integrity is Mandatory.
Integrity:: Integrity is maintained through the X509 signing of the Security header as well as the whole body of the message, in e.g. a TIBCO BusinessWorks? (BW) scenario sign the Security Header and Body using its Private Certificate. BPM will have the corresponding Public certificate in its trust store to validate the message.
- Amazon Alexa and TIBCO ActiveMatrix BPM Integration Skill Demo
Any contribution is welcome!