Signing in with a Corporate Account

With Enterprise SSO, an organization owner can allow users from a specific email domain to authenticate against a different IdP. Users can sign in to TIBCO Cloud by using single sign-on with a corporate account.

For a corporate email domain, users from your email domain need not set up passwords with TIBCO Account. Instead the credentials are authenticated by your SAML server.

For SAML, as a service provider, TIBCO initiates a request to the IdP, which then responds with the SAML assertion. IdP-initiated login is not supported. The benefit of the IdP-initiated flow is that you can bookmark a URL and bypass the TIBCO Account login page for signing in to TIBCO Cloud.

Note: This functionality is not available to organization owners with email addresses from free email services such as gmail.com or yahoo.com. This is because they don't own the email domain and might not make authentication decisions that apply to all the users from that email domain. However, users from gmail.com can always sign in by clicking the Sign in with Google button but they can't decide for the whole organization.

With a corporate account, you can bypass the TIBCO Account login page by navigating or bookmarking any TIBCO Cloud URL and prefixing /xidp/your-domain-name to the path. The browser would then go straight to your IdP.

For example, https://integration.cloud.tibco.com/xidp/example.com/applications, would take you to sign in to the example.com page and then to the https://integration.cloud.tibco.com/applications page.

If you are already signed in from your IdP, there is no redirect. But, if you are signed in under another account, then you are redirected to the authentication page of the requested IdP.

Note that a direct URL to customer's IdP for Web UI is available to any of the TIBCO Cloud URLs that are accessible via the web UI except for TIBCO Cloud™ Mashery®.

Note:

For SAML, only SP-initiated login is supported. IdP-initiated login is not supported as it is vulnerable to attacks stealing the authentication request. TIBCO, as a service provider, initiates a request to the IdP, which then responds with the SAML assertion. However, since IdP-initiated login allows you to bookmark URLs that redirect authenticated users to the Service Providers page and bypass the TIBCO prompts for signing in to TIBCO Cloud, TIBCO Cloud allows you to do this by prefixing the desired URL's path with /xidp as mentioned earlier.

The following diagram illustrates the SP-initiated SAML flow. The non-supported IdP-initiated flow starts at step 4.

Prerequisites

  • Your organization must have an IdP that is compliant with the SAML 2.0 web browser SSO profile.

  • Configuring the settings of a corporate account requires that the owner signs in using the corporate account option.

Requesting Permission to Enable Corporate Account

To request permission to enable Corporate Account:

    Procedure
  1. On the Settings tab, in the Enterprise SSO section, select the checkbox to confirm that your organization complies with the applicable laws. Then click Request corporate next to Use corporate account.

  2. In the Request permission to enable Sign in with Corporate account dialog, enter all the necessary information and click Send.

    An email is sent to the TIBCO Support team. The TIBCO Support team then contacts you with further questions and instructions to set up your IdP so that TIBCO Cloud can authenticate your users against it. You can check the status of your request on the Settings tab.

    You can cancel your request before it is approved. In the Enterprise SSO section, click the Update button next to Use corporate account.

    After TIBCO and your IT department have configured and enabled services on both sides to authenticate users and you are happy with the setup, you can enable Sign in with corporate account for all users of the organization. After this step, all newly-invited users in the organization are expected to be authenticated by your IdP instead of setting up passwords at TIBCO Accounts.

  3. On the Settings tab, in the Enterprise SSO section, click Update Configuration next to Use corporate account.

  4. In the Sign in with corporate account for <your organization name> Organization dialog, enable signing in with your corporate account for your organization.

    To sign in by using the corporate account, users must click Your corporate account.

    Users must enter the corporate domain to continue signing in to TIBCO Cloud.

    Users are then directed to the company-specific sign in page.

Note: You can bypass the last two screens while signing in by prefixing /xidp/fully-qualified-domain-name to the path of any TIBCO URL that requires you to sign in.
Warning:

After you enable signing in with your corporate account:

  • No new users are created at TIBCO Accounts. They are expected to be authenticated by their IdP. You can make a switch between using the TIBCO Account and your corporate account and notify your users. For more information, see Points to be Noted section on the TIBCO Cloud Federated Authentication page.

  • If you have any members in invited state, you must retract their invitations and invite those members again.

Related Topic