TIBCO Cloud Federated Authentication

TIBCO Cloud federated authentication feature allows users to sign in to TIBCO Cloud by using their federated credentials. In TIBCO Cloud, you can configure a custom Identity Provider (IdP) for authenticating user credentials instead of relying on the IdP provided by TIBCO. After a custom IdP is configured and enabled for an email domain, all users in that email domain can sign in to TIBCO Cloud using their federated credentials.

TIBCO Cloud currently supports the following types of external IdPs:

  • Google

  • External SAML SSO Server

  • LDAP

  • JWT-based OAuth for REST-based OEM solutions (RFC 7521)

Note: Although organization owners can be granted permission to enable multiple external IdPs, they can enable only one external IdP at a time.

Benefits of Using a Custom IdP

Configuring a custom IdP has the following benefits:

  • Eliminates the need for users to create and maintain an additional account with TIBCO

  • Enhances compliance with customer's security policies such as password strength, password aging, credential revocation, and auditing

  • Reduces the risk of security breach by keeping the authentication process under the customer's control.

Permission Management

Only organization owners can request permission to manage the Federated Authentication settings for an email domain. External IdPs that are configured by the organization owners affect all users that share the same email domain as the organization owners, regardless of their subscriptions. For this reason, granting permission to manage the Federated Authentication settings for an email domain must be carefully controlled. It is a good practice to grant this privilege to only one organization owner for a company's email domain.

As an organization owner, you can request permission by clicking the link on the Settings tab in the TIBCO Cloud web user interface. A confirmation email is sent to you to acknowledge the request. Another one is sent when the request is approved or denied.

External IdP Configuration

Signing in with Google: If your organization uses Google as an authentication provider for your users, they can sign in to TIBCO Cloud by clicking Sign in with Google. Configuring Google as your authentication provider, lets your users at your-domain.com to use Google as the authentication provider. TIBCO does not save or prompt you for passwords any more. For more information about signing in with Google, see Signing in with Google topic in this section.

Using your corporate account: If your organization uses a SAML 2.0 compliant IdP, users from your organization can sign in to TIBCO Cloud by clicking Use your corporate account. However, you must contact the TIBCO Support team to configure SAML. TIBCO will not save or prompt you for passwords any more. For more information about using your corporate account, see Signing in with a Corporate Account topic in this section.

With a corporate account, you can bypass the TIBCO Account login page by navigating or bookmarking any TIBCO Cloud URL and prefixing /xidp/your-domain-name to the path. The browser would then go straight to your IdP.

Using the LDAP server: If users of your organization can be authenticated by a publicly accessible LDAP server, you can configure LDAP yourself. However, you must have the credentials of an Administrative user. For more information about configuring LDAP, see Managing LDAP Connections topic in this section.

Using OEM Authentication Organization owners might take over the authentication of their users if access is only via REST API and not a browser. Authentication is done by exchanging a JWT token that is signed by the organization owner for an OAuth Access Token to TIBCO Cloud.

Points to be Noted

  • Users who receive invitations to join TIBCO Cloud need not set up a password with TIBCO if their email domain has a custom IdP configured and enabled. They can continue to use their corporate login to sign up.

  • TIBCO does not manage the account lockout and password policies for the users of an organization for which external IdP or LDAP has been configured.

  • After you send a request for permission to enable signing in by using your federated credentials, you can cancel your request before it is approved.

  • After you enable Enterprise SSO, new users are not issued a password by TIBCO Accounts. Instead, they are redirected to your IdP.

  • If you cannot sign in to TIBCO Cloud to make Enterprise SSO changes, you can contact the Contacting Support. They can disable mandatory sign in for you and then you can make the desired changes.