Resolution:
Description:
============
When SAML authentication is used, the user that signs the sender-vouches certificate should not be an AMX BPM User. If the user is a member, or the ldap entry corresponding with tibco-admin, then sometimes the wrong identity can be picked up by process.getOriginatorName()

Environment:
===========
   o TIBCO ActiveMatrix BPM 1.3.x, 2.1.0
   o All platforms

Symptoms:
========
TIBCO ActiveMatrix BPM:

Sometimes the signer of a sender-vouches assertion is sometimes picked up instead of the X509 identity. This is seen in the Events for process instances and also when Process.getOriginatorName() is called.


Cause:
=====
1. verifies the signature of the incoming message against the public certificate.
This confirms that the message originates from a trusted source.
2. validates that the identity supplied in the SAML assertion is associated with a
registered user in the BPM organization model. Sometimes the identity supplied to the validation is that of the signer rather than the supplied BPM username or DN, and this is valid only because the signer happens to be a BPM user.


Resolution:
==========
If tibco-admin has been set to the same user (see de.properties), then either change the tibco-admin LDAP string to a different user or regenerate the certificate using a different user.
If the signing user is not tibco-admin and is not critical for use, then the user could be deleted as a bpm resource.


References:
==========
TIBCO ActiveMatrix BPM - BPM Developer's Guide > Chapter 5 > Single Sign-on (SSO) Authentication
TIBCO ActiveMatrix BPM - BPM Administration > Chapter 3 Configuring TIBCO ActiveMatrix BPM Components > Configuring the Admin Use