Maximo

Maximo

Come for answers, stay for best practices. All we're missing is you.

 View Only
Back to discussions
Expand all | Collapse all

Authentication failed for Maximo Mobile for EAM version 9 with SSO

  • 1.  Authentication failed for Maximo Mobile for EAM version 9 with SSO

    Posted Thu November 06, 2025 11:52 PM

    Hi All,

    We have upgraded from Mobile 8.10 to Mobile 9 to satisfy the authentication flow to pass through the web browser rather than the native application in-app browser like it does on Mobile for EAM 8.10.

    We have SSO enabled and applied conditional access policy on the Azure App. Also configured useSystemBrowserLogin=True in MDM configuration properties for Android and ios.

    But it seems useSystemBrowserLogin=True works only with Maximo Mobile (MAS app) and not applicable for Maximo Mobile for EAM app. Also, EAM app can't send the Device ID as part of device response and thus conditional access policy needs to be built without using Device ID. Here we have confirmed with Azure team on Conditional access policy that it's not possible to exclude device id from the policy as ENTRA will validate login attempt as "success" only by using the device id. 

    When we set useSystemBrowserLogin=True property in MDM, app is capturing DEVICEID in Azure sign in logs but the Mobile App is not showing login successful due to "Authentication Failed" error.

    Has anyone faced this issue with Maximo 7.6.1.3 and Maximo Mobile for EAM 9.0.

    Appreciate your valuable inputs.

    Thanks.



    ------------------------------
    Bincy Jose
    ------------------------------


  • 2.  RE: Authentication failed for Maximo Mobile for EAM version 9 with SSO

    Posted Fri November 07, 2025 07:47 AM

    We are also having similar issue and Mobile 8.x EAM authentication failed with access denied. Case opened with IBM for longest time yet no solution. 



    ------------------------------
    Jignesh Shah
    ------------------------------

    Original Message


  • 3.  RE: Authentication failed for Maximo Mobile for EAM version 9 with SSO

    Posted Fri November 07, 2025 10:02 AM
    Edited by Larry van Elewoud Fri November 07, 2025 10:26 AM

    Hi Bincy, are you being redirected to the login page of the identity service provider? And is Maximo open to the internet or is it behind a proxy?

    We have 2 customers using Entra (1 on iOS and 1 on Android). Both working successfully with sending device id. Both on Maximo EAM 7.6.1.3. This is only possible as from version 9.0. So the upgrade has been a good idea. On Android you should also set enable browser access in Microsoft Authenticator (settings -> Device registration -> <your company> -> Enable Browser access -> continue and accept certificate)

    For SAML to work on mobile, the maximo property "mxe.useSAML" should be set to one (to have the redirect to the login page specified in your SAML configuration). In some situations ldapisform also needs to be set to 1 if I'm correct.

    Make sure you are member of the applicable AD groups. And if behind a proxy, the proxy should be set to pass through (as pre-authentication won't work)

    Hope this will help you out a bit.

    Cheers,

    Larry



    ------------------------------
    Larry van Elewoud
    Technical Engineer
    Gemba Service B.V.
    Netherlands
    ------------------------------

    Original Message


  • 4.  RE: Authentication failed for Maximo Mobile for EAM version 9 with SSO

    Posted Tue November 11, 2025 12:54 AM
    Thanks Larry.
    Yes, we are being redirected to the login page of the identity service provider and the login also validated successfully with SSO and 2-step authentication.
    After the successful validation it gives the "authentication failed" error on app for both ios and android.
    Here we are using a loadbalancer. maximo property "mxe.useSAML" is set to one. Users are member of the respective AD group.
    Device settings status inside company portal shows "In compliance".
    We are testing with the app available in company portal which was setup via MDM.
    On Android, we get the prompt to accept certificate and even when we proceed with it, app login is failing.
    In Microsoft Authenticator-Settings, I don't see the option mentioned above as the ORG is not listed.
    In Company portal, under Settings we have "Enable Browser Access" option, which asks us to select a certificate from 2 different types (VPN and app user certificate / Wi-Fi Certificate). Do we need to use any of these for a successful app connectivity considering the above scenario details.
    Kindly share your comments.
    Thanks in advance.


    ------------------------------
    Bincy Jose
    ------------------------------

    Original Message


  • 5.  RE: Authentication failed for Maximo Mobile for EAM version 9 with SSO

    Posted Thu November 13, 2025 01:56 AM
    Hi Larry,
    Thank you for your quick response.
     
    The devices are registered (managed by intune).
    When we set the property useSystemBrowserLogin=false , the device id will be captured. 
    But we need to set this as TRUE while enabling conditional access policy on the Azure App.
     
    Currently we have Pre Authentication set as "Microsoft Entra ID" in Application Proxy, since all the apps should go through EntraID first.
     
    Could you please share more details on "proxy with passthrough was the option" for other customers who faced the same issue.
    Does the app captures device id with this option? 
     
    Thanks.


    ------------------------------
    Bincy Jose
    ------------------------------

    Original Message


  • 6.  RE: Authentication failed for Maximo Mobile for EAM version 9 with SSO

    Posted Thu November 13, 2025 02:44 AM

    Hi Bincy,

    With the proxy set to pre-authentication the necessary cookies will get lost in the process. (too many round trips).

    When the application proxy is set to pass-through, then the device id will also be sent to inTune. Authentication will still go through Entra-Id as the SAML implementation will redirect the login to the idsp url. Devices should be managed by inTune.

    Set the useSystemBrowserLogin=True and it should work. 

    Information Microsoft application proxy:

    Pre Authentication How application proxy verifies users before giving them access to your application.

    Microsoft Entra ID - Application proxy redirects users to sign in with Microsoft Entra ID, which authenticates their permissions for the directory and application. We recommend keeping this option as the default so that you can take advantage of Microsoft Entra security features like Conditional Access and multifactor authentication. Microsoft Entra ID is required for monitoring the application with Microsoft Defender for Cloud Apps.

    Passthrough - Users don't have to authenticate against Microsoft Entra ID to access the application. You can still set up authentication requirements on the backend.


    ------------------------------
    Larry van Elewoud
    Technical Engineer
    Gemba Service B.V.
    Netherlands
    ------------------------------

    Original Message


  • 7.  RE: Authentication failed for Maximo Mobile for EAM version 9 with SSO

    Posted Thu November 13, 2025 09:40 AM

    Hi Bincy, when pre-authentication is set on the proxy there are to many round trips ending up the authentication to be failed as the login information won't reach your end point.

    With pass through you will still have the authentication through Entra-Id (assuming SAML is set up in websphere). The SAML application in websphere will handle the configured redirection to the idsp.

    With pass through you are still able to set the deviceid mandatory in inTune and the device id will be received with useSystemBrowserLogin=true

    Microsoft information on application proxy:

    Pre Authentication How application proxy verifies users before giving them access to your application.

    Microsoft Entra ID - Application proxy redirects users to sign in with Microsoft Entra ID, which authenticates their permissions for the directory and application. We recommend keeping this option as the default so that you can take advantage of Microsoft Entra security features like Conditional Access and multifactor authentication. Microsoft Entra ID is required for monitoring the application with Microsoft Defender for Cloud Apps.

    Passthrough - Users don't have to authenticate against Microsoft Entra ID to access the application. You can still set up authentication requirements on the backend.



    ------------------------------
    Larry van Elewoud
    ------------------------------

    Original Message


  • 8.  RE: Authentication failed for Maximo Mobile for EAM version 9 with SSO

    Posted Fri November 14, 2025 07:56 AM

    Thanks so much Larry.

    We could test these settings and it worked for us. Checking with Azure team here whether we can proceed with this option in Production.

    Also would like to know if you have some insights on what was the App side code changes which IBM might have included in Mobile 9 version of MAS which allows the app to send device id when we include the conditional access policy and set the property useSystemBrowserLogin=true.

    Thanks,



    ------------------------------
    Bincy Jose
    ------------------------------

    Original Message


  • 9.  RE: Authentication failed for Maximo Mobile for EAM version 9 with SSO

    Posted 28 days ago
    Edited by Larry van Elewoud 28 days ago

    Hi Bincy,

    You're welcome! The problem is the authentication cookie returned from the pre-authentication. In the second call to authorize for maximo, this cookie won't be available anymore so authentication fails. As I mentioned we had quite some meetings with IBM developer and a squad team to see if it could be solved. Unfortunately this wasn't the case. If you are fine with it, I would like to inform IBM you ran into this as well. If we can show there are more users experiencing this, it's more likely a solution will be investigated. As far as we were told, this issue isn't solved in MAS 9. And I guess it won't be in 9.1 as well. If in any case I get some new information I will keep you updated.

    Glad I could clarify things and help you.

    Kind regards,

    Larry



    ------------------------------
    Larry van Elewoud
    Technical Engineer
    Gemba Service B.V.
    Netherlands
    ------------------------------

    Original Message


  • 10.  RE: Authentication failed for Maximo Mobile for EAM version 9 with SSO

    Posted 28 days ago

    Thank you Larry. 

    We have an IBM PMR where we already reported this issue to the IBM team.

    We would appreciate receiving further updates when possible.

    Thanks.



    ------------------------------
    Bincy Jose
    ------------------------------

    Original Message


  • 11.  RE: Authentication failed for Maximo Mobile for EAM version 9 with SSO

    Posted Thu November 13, 2025 12:40 PM

    My personal view of this situation

    Check the version of the "for EAM" app and whether a patch or update is required - there may be a fix available for the SSO/system browser flow and the device ID handling.

    Review the conditional access policy in your Azure/Entra tenant: you can temporarily remove the "device ID" condition or replace it with "approved/managed device" to test whether the absence of the device ID is indeed causing the blockage. (Even though Azure has confirmed that the device ID cannot be excluded, you might mitigate the condition during testing.)

    Enable advanced logging in Azure/Entra and on the mobile app (developer logs) to trace exactly what is being passed as "device ID", "device state", "app ID", and "redirect URI", and where the flow is failing. In particular, check whether the redirect after authentication shows any errors (such as Bad Gateway or problematic URL encoding like "/oslc/graphite/mobile/systembrowserlogin?key=…" as reported).

    Verify that the Maximo Manage 7.6.1.3 server and the mobile environment correctly support login via the system browser, and ensure there are no proxies or intermediate authentication layers that might alter the device/trust token.



    ------------------------------
    Paolo Tortiglione
    CEO
    Connet Global
    +39 339 339 8209
    ------------------------------

    Original Message


  • 12.  RE: Authentication failed for Maximo Mobile for EAM version 9 with SSO

    Posted Fri November 14, 2025 07:51 AM

    Thanks Paolo,

    App version is 1.0.24 released on 2 Mar 2021. We are checking with IBM if a patch is required, though IBM suggested to move to MAS.

    Login via system browser works fine.

    We faced the Bad Gateway error earlier ("/oslc/graphite/mobile/systembrowserlogin?key=) but this got resolved after making changes in sts url in websphere interceptor configuration and opening the firewall ports.

    We are working with Azure team to see the best possible options.

    Thanks.



    ------------------------------
    Bincy Jose
    ------------------------------

    Original Message


Related Content