Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). By using SAML, you can create a single login ID for multiple systems.
As the adoption of cloud is increasing, more and more organizations are inclined to use authentication available in IdPs and it has in turn increased the adoption of SAML based authentication and Single Sign On (SSO).
IBM has also given capability to integrate Maximo Asset Management with different IdPs like Azure AD using SAML. In this post, we shall see the different steps involved in planning and implementation of Azure AD Integration using SAML.
Azure AD Maximo Integration Set Up:
To integrate Maximo with Azure AD, following are the high-level configuration steps which need to be done:
- Set Up Azure Active Directory in Azure Portal.
- Create Users and Group in Azure Active Directory.
- Create Enterprise Application for IBM Maximo.
- Granted access of enterprise application to group and users.
- Configure enterprise application in Azure Portal.
- Install SAML ACS application in IBM WebSphere Console.
- Configure SAML Trust Association interceptor in Global Security. com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor
- Configure Custom Properties for SAML Authentication in Global Security. com.ibm.websphere.security.DeferTAItoSSO and com.ibm.websphere.security.InvokeTAIbeforeSSO
- Configure properties for SAML Authentication for SP and IdP in SAML Trust Association interceptor.
- Write Java code to Implement AuthnRequestProvider and configure in WebSphere.
- Import Azure AD Certificate into WebSphere in CellDefaultTrustStore
- Enable https on IBM Http Server with Self Signed Certificate.
- Enable Application Server Security in Maximo.
- Set SAML related properties in Maximo.
- Change the Trusted Realm on Maximo application.
- Ensure Login ID of users in Maximo is same as User Principal Name of the user in Azure AD.
- Restart Deployment Manager, Synchronize Node and restart Application Server JVMs. Make sure Maximo and SAML ACS application is started.
After configuration is done, you should be able to validate Maximo using Azure AD as shown below.
Limitations and Challenges:
SAML Authentication on Maximo has some of the limitations as well. Currently SAML Authentication is only available on Maximo UI application and following features are not supported with SAML Authentication:
- Browser-less connections with MIF, REST & OSLC APIs
- User synchronization using VMMSYNC and LDAPSYNC Cron Tasks
- BIRT Report Only Server (BROS) and Cognos Configuration
SAML Authentication on Mobile:
EAM360 has developed the solution to have authentication with Azure AD using SAML. EAM360 mobile app for maximo provides the ability to use SAML Authentication for authentication similar to Maximo UI. This ensures the users can have seamless authentication experience on their mobile devices and on web.
If you have any questions or looking to implement SAML Authentication with Maximo or Mobile, feel free to reach out to us.
Principal Solution Architect