Configuring a custom authenticator plug-in
IBM® Business Process Manager Process Center supports the use of a custom authenticator plug-in to work with your third-party authentication single sign-on (SSO) environment.
Before you begin
- Verify what type of third-party authentication SSO that you are using. For example, IBM HTTP Server (IHS) or SiteMinder.
- Complete the custom authenticator configuration before you install Process Designer.
- Configure the httpProtocolOnly property for Process Designer to use the HTTP or HTTPS protocol instead of Java's Remote Method Invocation (RMI) with Java™ Messaging Service (JMS). See Configuring the httpProtocolOnly property for Process Designer.
- For some external links to work properly with a custom authenticator plug-in, set add-redirect-url-credentials to false, for example, the generated report link for a process app. For information about setting properties, see Setting preferences.
About this task
You define a login authenticator in Process Designer to declare an extension for client side login logic to address special authentication requirements from the server side. When authentication is triggered, Process Designer retrieves the authenticator application programming interface (API) and starts the login logic. The authenticator extension point is an API that is provided in the Eclipse plug-in format.
The authenticator API can return two sets of security tokens. The first set of security tokens is shared among all connections using Java HTTP clients triggered by user Create, Read, Update and Delete (CRUD) activities within one Process Designer. This set supports inactivity timeout on user interaction requests. The second set of security tokens is shared during Process Designer and Process Center communication, CometD initialization, and embedded browsers. This set does not provide inactivity timeout support. If the authenticator API returns only one set of security tokens, it is shared among all HTTP clients within Process Designer. Active polling will disable inactivity timeout. The authenticator API uses the same set of security tokens for polling and inactivity timeout. If you are using a custom plug-in and want to support inactivity timeout, your environment must support two security tokens.