BPM, Workflow, and Case

We are building a headless process in IBM BAW (20.x non container). Business user will use React based web application to access BAW task which will be hosted on tomcat.
Can we establish SSO between tomcat and WebSphere such that BAW Rest API can be invoked seamlessly from web application?


------------------------------
Manish Poddar
------------------------------

Manish, 

You could setup SSO using SPENGO. For calling the REST API OOTB services though, you could create a BAW user account (on premise)/service functional account (on cloud). To call specific service flows, you can expose them as Ajax to authenticated users.

------------------------------
Ajay Katre
Salient Process
------------------------------

Original Message:
Sent: Thu May 12, 2022 11:54 PM
From: Manish Poddar
Subject: How to authenticate user in case of Headless Implementation

We are building a headless process in IBM BAW (20.x non container). Business user will use React based web application to access BAW task which will be hosted on tomcat.
Can we establish SSO between tomcat and WebSphere such that BAW Rest API can be invoked seamlessly from web application?


------------------------------
Manish Poddar
------------------------------

Manish,

you can achieve SSO by connecting to systems (your tomcat react web app and BAW) to the same identity provider. This will ensure that a user that navigates via browser to the one and later to the other system is prompted for authentication just once - even though there is a screen flicker of redirects until the user gets into the 2nd system.
In your headerless scenario, you'll want to to authenticate to the react web app and ensure that the browser side JS code has a token at hand to include in REST requests to BAW so that these requests are authenticated. 
You can achieve that by obtaining tokens from e.g. an OIDC provider and configure BAW to accept these tokens. BAW itself cannot act as a OIDC provider as traditional WebSphere does not offer this capability. However, you can install User Management Service for that purpose, see https://www.ibm.com/docs/en/baw/20.x?topic=management-installing-configuring-user-service 
I am not exactly sure why this is not mentioned in the BAW docs, but here is a flow for a browser web app to retrieve the tokens: https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/21.0.3?topic=SSYHZ8_21.0.3/com.ibm.dba.offerings/topics/con_ums_sso_browser.html

------------------------------
Jens Engelke
------------------------------

Original Message:
Sent: Thu May 12, 2022 11:54 PM
From: Manish Poddar
Subject: How to authenticate user in case of Headless Implementation

We are building a headless process in IBM BAW (20.x non container). Business user will use React based web application to access BAW task which will be hosted on tomcat.
Can we establish SSO between tomcat and WebSphere such that BAW Rest API can be invoked seamlessly from web application?


------------------------------
Manish Poddar
------------------------------

Thanks! Jens. 

We have decided to use SAML with Microsoft Azure.

------------------------------
Manish Poddar
------------------------------

Original Message:
Sent: Fri May 13, 2022 02:41 AM
From: Jens Engelke
Subject: How to authenticate user in case of Headless Implementation

Manish,

you can achieve SSO by connecting to systems (your tomcat react web app and BAW) to the same identity provider. This will ensure that a user that navigates via browser to the one and later to the other system is prompted for authentication just once - even though there is a screen flicker of redirects until the user gets into the 2nd system.
In your headerless scenario, you'll want to to authenticate to the react web app and ensure that the browser side JS code has a token at hand to include in REST requests to BAW so that these requests are authenticated. 
You can achieve that by obtaining tokens from e.g. an OIDC provider and configure BAW to accept these tokens. BAW itself cannot act as a OIDC provider as traditional WebSphere does not offer this capability. However, you can install User Management Service for that purpose, see https://www.ibm.com/docs/en/baw/20.x?topic=management-installing-configuring-user-service 
I am not exactly sure why this is not mentioned in the BAW docs, but here is a flow for a browser web app to retrieve the tokens: https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/21.0.3?topic=SSYHZ8_21.0.3/com.ibm.dba.offerings/topics/con_ums_sso_browser.html

------------------------------
Jens Engelke

Original Message:
Sent: Thu May 12, 2022 11:54 PM
From: Manish Poddar
Subject: How to authenticate user in case of Headless Implementation

We are building a headless process in IBM BAW (20.x non container). Business user will use React based web application to access BAW task which will be hosted on tomcat.
Can we establish SSO between tomcat and WebSphere such that BAW Rest API can be invoked seamlessly from web application?


------------------------------
Manish Poddar
------------------------------