Hello guys,
We want to have SSO in Maximo. We have are implementing Maximo 7.6 instance with multiple identity providers (e.g. Azure AD & Ping Identity)
Can any one help and guide... is that possible.. if yes then how and all?

Regards...

------------------------------
mx pro
ON
------------------------------

#Maximo
#AssetandFacilitiesManagement

Hi Mx Pro,

I think it is possible with configuration of multiple security profile and applying different security profile for different cluster.

Basically, you need to create 2( or as many Identity provider you have) different security profile for each Identity providers.
Apply the security profiles to different clusters. In this way each cluster will communicate with its assigned Identity providers through security profiles configured.

Users will need to use different maximo login urls which would redirect them to their respective identity providers.

Thanks,
Biplab

------------------------------
Biplab Choudhury
Maximo Consultant
Tata Consultancy Services
Melbourne
------------------------------

Original Message:
Sent: Wed May 19, 2021 05:01 PM
From: mx pro
Subject: Maximo SSO with multiple Identity Providers

Hello guys,
We want to have SSO in Maximo. We have are implementing Maximo 7.6 instance with multiple identity providers (e.g. Azure AD & Ping Identity)
Can any one help and guide... is that possible.. if yes then how and all?

Regards...

------------------------------
mx pro
ON
------------------------------

#Maximo
#AssetandFacilitiesManagement

We actually do this quite a bit. WebSphere has a redirect function to take the user to an identity provider when not authenticated that won't support redirecting to 2 unless you setup separate URLs, but if you're comfortable with one of them having to launch from the Identity Provider it's not much different than setting up one identity provider. When you're setting up the identity provider you have a lot of properties you configure on the trust interceptor. You'll have a sso_1.idp_1.SingleSignOnUrl for example. But you can easily create a second identity provider (IE sso_1.idp_2.SingleSignOnUrl) with the settings of the other identity provider utilizing a similar process to the first. 

We suggest utilizing email address as the login id (which does NOT have to match the USERID) to avoid conflicts (IE two JSMITH users).

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH
------------------------------

Original Message:
Sent: Wed May 19, 2021 05:01 PM
From: mx pro
Subject: Maximo SSO with multiple Identity Providers

Hello guys,
We want to have SSO in Maximo. We have are implementing Maximo 7.6 instance with multiple identity providers (e.g. Azure AD & Ping Identity)
Can any one help and guide... is that possible.. if yes then how and all?

Regards...

------------------------------
mx pro
ON
------------------------------

#Maximo
#AssetandFacilitiesManagement

Thanks Steven and Biplab for your replies...

Steven, 

The issue is we cannot use emails as login IDs, as users are already using heir assign login IDs to login to their computers. But one set of users are in Azure and the other set of users are in Ping.... We do not want them now to use other IDs to login to Maximo.
We want once any user is in his/her system... then regardless that he/she is in which ever identity provider, he/she should avail the Single Sign On (SSO) for Maximo seamlessly...

I hope this is do able...

Comments / guidance / suggestions ...  plz

Regards

------------------------------
mx pro
ON
------------------------------

Original Message:
Sent: Thu May 20, 2021 08:58 AM
From: Steven Shull
Subject: Maximo SSO with multiple Identity Providers

We actually do this quite a bit. WebSphere has a redirect function to take the user to an identity provider when not authenticated that won't support redirecting to 2 unless you setup separate URLs, but if you're comfortable with one of them having to launch from the Identity Provider it's not much different than setting up one identity provider. When you're setting up the identity provider you have a lot of properties you configure on the trust interceptor. You'll have a sso_1.idp_1.SingleSignOnUrl for example. But you can easily create a second identity provider (IE sso_1.idp_2.SingleSignOnUrl) with the settings of the other identity provider utilizing a similar process to the first. 

We suggest utilizing email address as the login id (which does NOT have to match the USERID) to avoid conflicts (IE two JSMITH users).

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH

Original Message:
Sent: Wed May 19, 2021 05:01 PM
From: mx pro
Subject: Maximo SSO with multiple Identity Providers

Hello guys,
We want to have SSO in Maximo. We have are implementing Maximo 7.6 instance with multiple identity providers (e.g. Azure AD & Ping Identity)
Can any one help and guide... is that possible.. if yes then how and all?

Regards...

------------------------------
mx pro
ON
------------------------------

#AssetandFacilitiesManagement
#Maximo

For clarity, when you are referring to SSO I assumed you meant SAML/Open ID (especially because you talked about Ping Identity). In that scenario, the user doesn't provide a username to initiate the login to Maximo. They authenticate in the identity provider which sends something over to Maximo which is configured in the identity provider. It can be literally whatever, though if you don't want it to be email and continue to provide something else that's a possibility as well.

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH
------------------------------

Original Message:
Sent: Thu May 20, 2021 09:57 AM
From: mx pro
Subject: Maximo SSO with multiple Identity Providers

Thanks Steven and Biplab for your replies...

Steven, 

The issue is we cannot use emails as login IDs, as users are already using heir assign login IDs to login to their computers. But one set of users are in Azure and the other set of users are in Ping.... We do not want them now to use other IDs to login to Maximo.
We want once any user is in his/her system... then regardless that he/she is in which ever identity provider, he/she should avail the Single Sign On (SSO) for Maximo seamlessly...

I hope this is do able...

Comments / guidance / suggestions ...  plz

Regards

------------------------------
mx pro
ON

Original Message:
Sent: Thu May 20, 2021 08:58 AM
From: Steven Shull
Subject: Maximo SSO with multiple Identity Providers

We actually do this quite a bit. WebSphere has a redirect function to take the user to an identity provider when not authenticated that won't support redirecting to 2 unless you setup separate URLs, but if you're comfortable with one of them having to launch from the Identity Provider it's not much different than setting up one identity provider. When you're setting up the identity provider you have a lot of properties you configure on the trust interceptor. You'll have a sso_1.idp_1.SingleSignOnUrl for example. But you can easily create a second identity provider (IE sso_1.idp_2.SingleSignOnUrl) with the settings of the other identity provider utilizing a similar process to the first. 

We suggest utilizing email address as the login id (which does NOT have to match the USERID) to avoid conflicts (IE two JSMITH users).

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH

Original Message:
Sent: Wed May 19, 2021 05:01 PM
From: mx pro
Subject: Maximo SSO with multiple Identity Providers

Hello guys,
We want to have SSO in Maximo. We have are implementing Maximo 7.6 instance with multiple identity providers (e.g. Azure AD & Ping Identity)
Can any one help and guide... is that possible.. if yes then how and all?

Regards...

------------------------------
mx pro
ON
------------------------------

#Maximo
#AssetandFacilitiesManagement

Hi Steve,

This is an interesting suggestion. 
There are 2 type of SSO Initiation( I am talking about SAML):
1. IDP Initiated : This is where User tries to access Maximo from a IDP's portal. Maximo/websphere understands and authentication the SAML Response from 2 different idp as per the configuration you have mentioned. Is my understanding correct?
2. Maximo/Webspehre Initiated : In this case User clicks on a Maximo url and depending on the redirect java code Maximo reaches out to the appropriate IDP. How does this process work if we have configured 2 IDP urls? I do not remember a way to write a code which would smartly decide on which idp to send the SAML request. Would you please explain this bit more?

Thanks,
Biplab

------------------------------
Biplab Choudhury
Maximo Consultant
Tata Consultancy Services
Melbourne
------------------------------

Original Message:
Sent: Thu May 20, 2021 08:58 AM
From: Steven Shull
Subject: Maximo SSO with multiple Identity Providers

We actually do this quite a bit. WebSphere has a redirect function to take the user to an identity provider when not authenticated that won't support redirecting to 2 unless you setup separate URLs, but if you're comfortable with one of them having to launch from the Identity Provider it's not much different than setting up one identity provider. When you're setting up the identity provider you have a lot of properties you configure on the trust interceptor. You'll have a sso_1.idp_1.SingleSignOnUrl for example. But you can easily create a second identity provider (IE sso_1.idp_2.SingleSignOnUrl) with the settings of the other identity provider utilizing a similar process to the first. 

We suggest utilizing email address as the login id (which does NOT have to match the USERID) to avoid conflicts (IE two JSMITH users).

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH

Original Message:
Sent: Wed May 19, 2021 05:01 PM
From: mx pro
Subject: Maximo SSO with multiple Identity Providers

Hello guys,
We want to have SSO in Maximo. We have are implementing Maximo 7.6 instance with multiple identity providers (e.g. Azure AD & Ping Identity)
Can any one help and guide... is that possible.. if yes then how and all?

Regards...

------------------------------
mx pro
ON
------------------------------

#Maximo
#AssetandFacilitiesManagement

1) Yes, if you configure multiple identity providers WebSphere will handle as many IdP initiated logins as you want. With SAML, you're essentially just providing the loginid to Maximo and that's it. As long as the login id matches what the identity provider is sending to WebSphere, you're good.
2) The redirect piece was what I mentioned here "WebSphere has a redirect function to take the user to an identity provider when not authenticated that won't support redirecting to 2 unless you setup separate URLs...". If you setup separate URLs (IE url-idp1.mydomain.com and url-idp2.mydomain.com) you could redirect to different identity providers with some filter rules but otherwise it can only redirect to one. So if you have users that want to go to url.mydomain.com/maximo, it will only redirect to 1 identity provider if they're not authenticated because it can't determine where to route them. 

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH
------------------------------

Original Message:
Sent: Thu May 20, 2021 10:47 AM
From: Biplab Choudhury
Subject: Maximo SSO with multiple Identity Providers

Hi Steve,

This is an interesting suggestion. 
There are 2 type of SSO Initiation( I am talking about SAML):
1. IDP Initiated : This is where User tries to access Maximo from a IDP's portal. Maximo/websphere understands and authentication the SAML Response from 2 different idp as per the configuration you have mentioned. Is my understanding correct?
2. Maximo/Webspehre Initiated : In this case User clicks on a Maximo url and depending on the redirect java code Maximo reaches out to the appropriate IDP. How does this process work if we have configured 2 IDP urls? I do not remember a way to write a code which would smartly decide on which idp to send the SAML request. Would you please explain this bit more?

Thanks,
Biplab

------------------------------
Biplab Choudhury
Maximo Consultant
Tata Consultancy Services
Melbourne

Original Message:
Sent: Thu May 20, 2021 08:58 AM
From: Steven Shull
Subject: Maximo SSO with multiple Identity Providers

We actually do this quite a bit. WebSphere has a redirect function to take the user to an identity provider when not authenticated that won't support redirecting to 2 unless you setup separate URLs, but if you're comfortable with one of them having to launch from the Identity Provider it's not much different than setting up one identity provider. When you're setting up the identity provider you have a lot of properties you configure on the trust interceptor. You'll have a sso_1.idp_1.SingleSignOnUrl for example. But you can easily create a second identity provider (IE sso_1.idp_2.SingleSignOnUrl) with the settings of the other identity provider utilizing a similar process to the first. 

We suggest utilizing email address as the login id (which does NOT have to match the USERID) to avoid conflicts (IE two JSMITH users).

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH

Original Message:
Sent: Wed May 19, 2021 05:01 PM
From: mx pro
Subject: Maximo SSO with multiple Identity Providers

Hello guys,
We want to have SSO in Maximo. We have are implementing Maximo 7.6 instance with multiple identity providers (e.g. Azure AD & Ping Identity)
Can any one help and guide... is that possible.. if yes then how and all?

Regards...

------------------------------
mx pro
ON
------------------------------

#AssetandFacilitiesManagement
#Maximo

thanks Steven,
so what i understood from u is that in our scenario, group 1 users (from Azure AD) and group 2 users (from Ping Identity) both groups users when they login to their systems (meanning login to Windows) then some identifier is sent from the Identity authentication system to Maximo and rest is seamless and all the users can then login to maximo, without again providing the credentials.
is my understanding correct

my next question s while doing the configuration for SSO (Single Sign On), we would require to do 2 interfaces (or something)... and both configs will be as if there was config with one system

can you clarify the config part also ...

appreciate ur guidance...


------------------------------
mx pro
ON
------------------------------

Original Message:
Sent: Thu May 20, 2021 10:57 AM
From: Steven Shull
Subject: Maximo SSO with multiple Identity Providers

1) Yes, if you configure multiple identity providers WebSphere will handle as many IdP initiated logins as you want. With SAML, you're essentially just providing the loginid to Maximo and that's it. As long as the login id matches what the identity provider is sending to WebSphere, you're good.
2) The redirect piece was what I mentioned here "WebSphere has a redirect function to take the user to an identity provider when not authenticated that won't support redirecting to 2 unless you setup separate URLs...". If you setup separate URLs (IE url-idp1.mydomain.com and url-idp2.mydomain.com) you could redirect to different identity providers with some filter rules but otherwise it can only redirect to one. So if you have users that want to go to url.mydomain.com/maximo, it will only redirect to 1 identity provider if they're not authenticated because it can't determine where to route them. 

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH

Original Message:
Sent: Thu May 20, 2021 10:47 AM
From: Biplab Choudhury
Subject: Maximo SSO with multiple Identity Providers

Hi Steve,

This is an interesting suggestion. 
There are 2 type of SSO Initiation( I am talking about SAML):
1. IDP Initiated : This is where User tries to access Maximo from a IDP's portal. Maximo/websphere understands and authentication the SAML Response from 2 different idp as per the configuration you have mentioned. Is my understanding correct?
2. Maximo/Webspehre Initiated : In this case User clicks on a Maximo url and depending on the redirect java code Maximo reaches out to the appropriate IDP. How does this process work if we have configured 2 IDP urls? I do not remember a way to write a code which would smartly decide on which idp to send the SAML request. Would you please explain this bit more?

Thanks,
Biplab

------------------------------
Biplab Choudhury
Maximo Consultant
Tata Consultancy Services
Melbourne

Original Message:
Sent: Thu May 20, 2021 08:58 AM
From: Steven Shull
Subject: Maximo SSO with multiple Identity Providers

We actually do this quite a bit. WebSphere has a redirect function to take the user to an identity provider when not authenticated that won't support redirecting to 2 unless you setup separate URLs, but if you're comfortable with one of them having to launch from the Identity Provider it's not much different than setting up one identity provider. When you're setting up the identity provider you have a lot of properties you configure on the trust interceptor. You'll have a sso_1.idp_1.SingleSignOnUrl for example. But you can easily create a second identity provider (IE sso_1.idp_2.SingleSignOnUrl) with the settings of the other identity provider utilizing a similar process to the first. 

We suggest utilizing email address as the login id (which does NOT have to match the USERID) to avoid conflicts (IE two JSMITH users).

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH

Original Message:
Sent: Wed May 19, 2021 05:01 PM
From: mx pro
Subject: Maximo SSO with multiple Identity Providers

Hello guys,
We want to have SSO in Maximo. We have are implementing Maximo 7.6 instance with multiple identity providers (e.g. Azure AD & Ping Identity)
Can any one help and guide... is that possible.. if yes then how and all?

Regards...

------------------------------
mx pro
ON
------------------------------

#AssetandFacilitiesManagement
#Maximo

Logging into your PC and then launching Maximo without needing to authenticate is never SAML/OpenID to the best of my knowledge. Most of time when you're talking Windows into WebSphere you're talking SPNEGO. If you're using SPNEGO to access Maximo, you've gone down the wrong path. It's bad, don't do it. 

Utilizing tools like Okta, Ping Identity, and Azure AD, you typically have a dashboard in the product that shows all apps you have access to as a user. You authenticate into this "dashboard" and then launch into those products. Depending on the rules you setup will determine whether another factor, username/password, etc. is required each time or just into the dashboard. 

See this video for Ping specifically (towards the end especially) to get an idea of what I'm talking about. https://www.youtube.com/watch?v=lHHL6E1kG0o&t=3s. 

Now all of these products allow you to synchronize credentials from AD so your same AD username/password can be your username/password in these products. But AD by design has to work offline (need to use your PC on a plane for example) and people are going to connect from devices that aren't part of your domain (such as from a Mac, iPhone, Android, etc.). Good security practices also require 2 factor into systems, especially from high risk devices or locations, which is where Azure AD, Okta, Ping Identity, etc. really shine. Utilizing conditional access policies, you can block access from certain areas (such as out of the country), block them from accessing it outside of certain time windows (good for temporary employees), you can require them to accept a 2 factor prompt, etc. There's a lot of capabilities when you use the products. But in all of those, you're going to be accessing that web dashboard and then launching into the app for the most part. 

Now some products (including WebSphere) can redirect to your identity provider and if the user has already authenticated it'll log them in without authenticating again. But they're going to have to authenticate into your identity provider. 

As for the setup, utilize this for the Maximo specifics: Implementing Security Assertion Markup Language (SAML) security in Maximo Asset Management - IBM Documentation

Utilize this for the WebSphere specifics: SAML web single sign-on - IBM Documentation

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH
------------------------------

Original Message:
Sent: Thu May 20, 2021 03:48 PM
From: mx pro
Subject: Maximo SSO with multiple Identity Providers

thanks Steven,
so what i understood from u is that in our scenario, group 1 users (from Azure AD) and group 2 users (from Ping Identity) both groups users when they login to their systems (meanning login to Windows) then some identifier is sent from the Identity authentication system to Maximo and rest is seamless and all the users can then login to maximo, without again providing the credentials.
is my understanding correct

my next question s while doing the configuration for SSO (Single Sign On), we would require to do 2 interfaces (or something)... and both configs will be as if there was config with one system

can you clarify the config part also ...

appreciate ur guidance...


------------------------------
mx pro
ON

Original Message:
Sent: Thu May 20, 2021 10:57 AM
From: Steven Shull
Subject: Maximo SSO with multiple Identity Providers

1) Yes, if you configure multiple identity providers WebSphere will handle as many IdP initiated logins as you want. With SAML, you're essentially just providing the loginid to Maximo and that's it. As long as the login id matches what the identity provider is sending to WebSphere, you're good.
2) The redirect piece was what I mentioned here "WebSphere has a redirect function to take the user to an identity provider when not authenticated that won't support redirecting to 2 unless you setup separate URLs...". If you setup separate URLs (IE url-idp1.mydomain.com and url-idp2.mydomain.com) you could redirect to different identity providers with some filter rules but otherwise it can only redirect to one. So if you have users that want to go to url.mydomain.com/maximo, it will only redirect to 1 identity provider if they're not authenticated because it can't determine where to route them. 

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH

Original Message:
Sent: Thu May 20, 2021 10:47 AM
From: Biplab Choudhury
Subject: Maximo SSO with multiple Identity Providers

Hi Steve,

This is an interesting suggestion. 
There are 2 type of SSO Initiation( I am talking about SAML):
1. IDP Initiated : This is where User tries to access Maximo from a IDP's portal. Maximo/websphere understands and authentication the SAML Response from 2 different idp as per the configuration you have mentioned. Is my understanding correct?
2. Maximo/Webspehre Initiated : In this case User clicks on a Maximo url and depending on the redirect java code Maximo reaches out to the appropriate IDP. How does this process work if we have configured 2 IDP urls? I do not remember a way to write a code which would smartly decide on which idp to send the SAML request. Would you please explain this bit more?

Thanks,
Biplab

------------------------------
Biplab Choudhury
Maximo Consultant
Tata Consultancy Services
Melbourne

Original Message:
Sent: Thu May 20, 2021 08:58 AM
From: Steven Shull
Subject: Maximo SSO with multiple Identity Providers

We actually do this quite a bit. WebSphere has a redirect function to take the user to an identity provider when not authenticated that won't support redirecting to 2 unless you setup separate URLs, but if you're comfortable with one of them having to launch from the Identity Provider it's not much different than setting up one identity provider. When you're setting up the identity provider you have a lot of properties you configure on the trust interceptor. You'll have a sso_1.idp_1.SingleSignOnUrl for example. But you can easily create a second identity provider (IE sso_1.idp_2.SingleSignOnUrl) with the settings of the other identity provider utilizing a similar process to the first. 

We suggest utilizing email address as the login id (which does NOT have to match the USERID) to avoid conflicts (IE two JSMITH users).

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH

Original Message:
Sent: Wed May 19, 2021 05:01 PM
From: mx pro
Subject: Maximo SSO with multiple Identity Providers

Hello guys,
We want to have SSO in Maximo. We have are implementing Maximo 7.6 instance with multiple identity providers (e.g. Azure AD & Ping Identity)
Can any one help and guide... is that possible.. if yes then how and all?

Regards...

------------------------------
mx pro
ON
------------------------------

#Maximo
#AssetandFacilitiesManagement

hi Steve,
Interestingly IBM says that it is not possible to have users in different identity providers and then we can still do Single sign on.
So can you elaborate your thing...
You are saying that single sing on can be setup when some of our users are in Azure AD and some are in Ping Identity
Are we on the same page?
if yes can you give a high level solution in easy terms so i can discuss with our vendor and IBM?
I might be repeating but please help
thanks

------------------------------
mx pro
------------------------------

Original Message:
Sent: Thu May 20, 2021 04:18 PM
From: Steven Shull
Subject: Maximo SSO with multiple Identity Providers

Logging into your PC and then launching Maximo without needing to authenticate is never SAML/OpenID to the best of my knowledge. Most of time when you're talking Windows into WebSphere you're talking SPNEGO. If you're using SPNEGO to access Maximo, you've gone down the wrong path. It's bad, don't do it. 

Utilizing tools like Okta, Ping Identity, and Azure AD, you typically have a dashboard in the product that shows all apps you have access to as a user. You authenticate into this "dashboard" and then launch into those products. Depending on the rules you setup will determine whether another factor, username/password, etc. is required each time or just into the dashboard. 

See this video for Ping specifically (towards the end especially) to get an idea of what I'm talking about. https://www.youtube.com/watch?v=lHHL6E1kG0o&t=3s. 

Now all of these products allow you to synchronize credentials from AD so your same AD username/password can be your username/password in these products. But AD by design has to work offline (need to use your PC on a plane for example) and people are going to connect from devices that aren't part of your domain (such as from a Mac, iPhone, Android, etc.). Good security practices also require 2 factor into systems, especially from high risk devices or locations, which is where Azure AD, Okta, Ping Identity, etc. really shine. Utilizing conditional access policies, you can block access from certain areas (such as out of the country), block them from accessing it outside of certain time windows (good for temporary employees), you can require them to accept a 2 factor prompt, etc. There's a lot of capabilities when you use the products. But in all of those, you're going to be accessing that web dashboard and then launching into the app for the most part. 

Now some products (including WebSphere) can redirect to your identity provider and if the user has already authenticated it'll log them in without authenticating again. But they're going to have to authenticate into your identity provider. 

As for the setup, utilize this for the Maximo specifics: Implementing Security Assertion Markup Language (SAML) security in Maximo Asset Management - IBM Documentation

Utilize this for the WebSphere specifics: SAML web single sign-on - IBM Documentation

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH

Original Message:
Sent: Thu May 20, 2021 03:48 PM
From: mx pro
Subject: Maximo SSO with multiple Identity Providers

thanks Steven,
so what i understood from u is that in our scenario, group 1 users (from Azure AD) and group 2 users (from Ping Identity) both groups users when they login to their systems (meanning login to Windows) then some identifier is sent from the Identity authentication system to Maximo and rest is seamless and all the users can then login to maximo, without again providing the credentials.
is my understanding correct

my next question s while doing the configuration for SSO (Single Sign On), we would require to do 2 interfaces (or something)... and both configs will be as if there was config with one system

can you clarify the config part also ...

appreciate ur guidance...


------------------------------
mx pro
ON

Original Message:
Sent: Thu May 20, 2021 10:57 AM
From: Steven Shull
Subject: Maximo SSO with multiple Identity Providers

1) Yes, if you configure multiple identity providers WebSphere will handle as many IdP initiated logins as you want. With SAML, you're essentially just providing the loginid to Maximo and that's it. As long as the login id matches what the identity provider is sending to WebSphere, you're good.
2) The redirect piece was what I mentioned here "WebSphere has a redirect function to take the user to an identity provider when not authenticated that won't support redirecting to 2 unless you setup separate URLs...". If you setup separate URLs (IE url-idp1.mydomain.com and url-idp2.mydomain.com) you could redirect to different identity providers with some filter rules but otherwise it can only redirect to one. So if you have users that want to go to url.mydomain.com/maximo, it will only redirect to 1 identity provider if they're not authenticated because it can't determine where to route them. 

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH

Original Message:
Sent: Thu May 20, 2021 10:47 AM
From: Biplab Choudhury
Subject: Maximo SSO with multiple Identity Providers

Hi Steve,

This is an interesting suggestion. 
There are 2 type of SSO Initiation( I am talking about SAML):
1. IDP Initiated : This is where User tries to access Maximo from a IDP's portal. Maximo/websphere understands and authentication the SAML Response from 2 different idp as per the configuration you have mentioned. Is my understanding correct?
2. Maximo/Webspehre Initiated : In this case User clicks on a Maximo url and depending on the redirect java code Maximo reaches out to the appropriate IDP. How does this process work if we have configured 2 IDP urls? I do not remember a way to write a code which would smartly decide on which idp to send the SAML request. Would you please explain this bit more?

Thanks,
Biplab

------------------------------
Biplab Choudhury
Maximo Consultant
Tata Consultancy Services
Melbourne

Original Message:
Sent: Thu May 20, 2021 08:58 AM
From: Steven Shull
Subject: Maximo SSO with multiple Identity Providers

We actually do this quite a bit. WebSphere has a redirect function to take the user to an identity provider when not authenticated that won't support redirecting to 2 unless you setup separate URLs, but if you're comfortable with one of them having to launch from the Identity Provider it's not much different than setting up one identity provider. When you're setting up the identity provider you have a lot of properties you configure on the trust interceptor. You'll have a sso_1.idp_1.SingleSignOnUrl for example. But you can easily create a second identity provider (IE sso_1.idp_2.SingleSignOnUrl) with the settings of the other identity provider utilizing a similar process to the first. 

We suggest utilizing email address as the login id (which does NOT have to match the USERID) to avoid conflicts (IE two JSMITH users).

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH

Original Message:
Sent: Wed May 19, 2021 05:01 PM
From: mx pro
Subject: Maximo SSO with multiple Identity Providers

Hello guys,
We want to have SSO in Maximo. We have are implementing Maximo 7.6 instance with multiple identity providers (e.g. Azure AD & Ping Identity)
Can any one help and guide... is that possible.. if yes then how and all?

Regards...

------------------------------
mx pro
ON
------------------------------

#Maximo
#AssetandFacilitiesManagement

Yes, you can have some users who use Azure AD and some in Ping Identity (or any other Identity Provider). Just be aware that both providers could login with the same user. IE if you have a MAXADMIN in both providers and launch into Maximo, both will be allowed. There is no restricting user A to Azure AD for example. That's why ensuring the loginid is unique is critical to configuring two identity providers.

When using SAML, WebSphere does all the heavy lifting and supports multiple identity providers. See: https://www.ibm.com/docs/en/was-nd/9.0.5?topic=sign-saml-single-scenarios-features-limitations, specifically "Support for single sign-on with multiple identity providers". Maximo is just provided the loginid essentially from WebSphere and then allows the user to login. WebSphere does have limitations, such as only being to redirect to a single identity provider (unless you configure multiple URLs and configure filters to restrict URLs to specific identity providers). But if you launch from an identity provider, you could have 1 or 100 identity providers without issue.

------------------------------
Steven Shull
Director of Development
Projetech Inc
------------------------------

Original Message:
Sent: Tue May 25, 2021 10:38 AM
From: mx pro
Subject: Maximo SSO with multiple Identity Providers

hi Steve,
Interestingly IBM says that it is not possible to have users in different identity providers and then we can still do Single sign on.
So can you elaborate your thing...
You are saying that single sing on can be setup when some of our users are in Azure AD and some are in Ping Identity
Are we on the same page?
if yes can you give a high level solution in easy terms so i can discuss with our vendor and IBM?
I might be repeating but please help
thanks

------------------------------
mx pro

Original Message:
Sent: Thu May 20, 2021 04:18 PM
From: Steven Shull
Subject: Maximo SSO with multiple Identity Providers

Logging into your PC and then launching Maximo without needing to authenticate is never SAML/OpenID to the best of my knowledge. Most of time when you're talking Windows into WebSphere you're talking SPNEGO. If you're using SPNEGO to access Maximo, you've gone down the wrong path. It's bad, don't do it. 

Utilizing tools like Okta, Ping Identity, and Azure AD, you typically have a dashboard in the product that shows all apps you have access to as a user. You authenticate into this "dashboard" and then launch into those products. Depending on the rules you setup will determine whether another factor, username/password, etc. is required each time or just into the dashboard. 

See this video for Ping specifically (towards the end especially) to get an idea of what I'm talking about. https://www.youtube.com/watch?v=lHHL6E1kG0o&t=3s. 

Now all of these products allow you to synchronize credentials from AD so your same AD username/password can be your username/password in these products. But AD by design has to work offline (need to use your PC on a plane for example) and people are going to connect from devices that aren't part of your domain (such as from a Mac, iPhone, Android, etc.). Good security practices also require 2 factor into systems, especially from high risk devices or locations, which is where Azure AD, Okta, Ping Identity, etc. really shine. Utilizing conditional access policies, you can block access from certain areas (such as out of the country), block them from accessing it outside of certain time windows (good for temporary employees), you can require them to accept a 2 factor prompt, etc. There's a lot of capabilities when you use the products. But in all of those, you're going to be accessing that web dashboard and then launching into the app for the most part. 

Now some products (including WebSphere) can redirect to your identity provider and if the user has already authenticated it'll log them in without authenticating again. But they're going to have to authenticate into your identity provider. 

As for the setup, utilize this for the Maximo specifics: Implementing Security Assertion Markup Language (SAML) security in Maximo Asset Management - IBM Documentation

Utilize this for the WebSphere specifics: SAML web single sign-on - IBM Documentation

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH

Original Message:
Sent: Thu May 20, 2021 03:48 PM
From: mx pro
Subject: Maximo SSO with multiple Identity Providers

thanks Steven,
so what i understood from u is that in our scenario, group 1 users (from Azure AD) and group 2 users (from Ping Identity) both groups users when they login to their systems (meanning login to Windows) then some identifier is sent from the Identity authentication system to Maximo and rest is seamless and all the users can then login to maximo, without again providing the credentials.
is my understanding correct

my next question s while doing the configuration for SSO (Single Sign On), we would require to do 2 interfaces (or something)... and both configs will be as if there was config with one system

can you clarify the config part also ...

appreciate ur guidance...


------------------------------
mx pro
ON

Original Message:
Sent: Thu May 20, 2021 10:57 AM
From: Steven Shull
Subject: Maximo SSO with multiple Identity Providers

1) Yes, if you configure multiple identity providers WebSphere will handle as many IdP initiated logins as you want. With SAML, you're essentially just providing the loginid to Maximo and that's it. As long as the login id matches what the identity provider is sending to WebSphere, you're good.
2) The redirect piece was what I mentioned here "WebSphere has a redirect function to take the user to an identity provider when not authenticated that won't support redirecting to 2 unless you setup separate URLs...". If you setup separate URLs (IE url-idp1.mydomain.com and url-idp2.mydomain.com) you could redirect to different identity providers with some filter rules but otherwise it can only redirect to one. So if you have users that want to go to url.mydomain.com/maximo, it will only redirect to 1 identity provider if they're not authenticated because it can't determine where to route them. 

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH

Original Message:
Sent: Thu May 20, 2021 10:47 AM
From: Biplab Choudhury
Subject: Maximo SSO with multiple Identity Providers

Hi Steve,

This is an interesting suggestion. 
There are 2 type of SSO Initiation( I am talking about SAML):
1. IDP Initiated : This is where User tries to access Maximo from a IDP's portal. Maximo/websphere understands and authentication the SAML Response from 2 different idp as per the configuration you have mentioned. Is my understanding correct?
2. Maximo/Webspehre Initiated : In this case User clicks on a Maximo url and depending on the redirect java code Maximo reaches out to the appropriate IDP. How does this process work if we have configured 2 IDP urls? I do not remember a way to write a code which would smartly decide on which idp to send the SAML request. Would you please explain this bit more?

Thanks,
Biplab

------------------------------
Biplab Choudhury
Maximo Consultant
Tata Consultancy Services
Melbourne

Original Message:
Sent: Thu May 20, 2021 08:58 AM
From: Steven Shull
Subject: Maximo SSO with multiple Identity Providers

We actually do this quite a bit. WebSphere has a redirect function to take the user to an identity provider when not authenticated that won't support redirecting to 2 unless you setup separate URLs, but if you're comfortable with one of them having to launch from the Identity Provider it's not much different than setting up one identity provider. When you're setting up the identity provider you have a lot of properties you configure on the trust interceptor. You'll have a sso_1.idp_1.SingleSignOnUrl for example. But you can easily create a second identity provider (IE sso_1.idp_2.SingleSignOnUrl) with the settings of the other identity provider utilizing a similar process to the first. 

We suggest utilizing email address as the login id (which does NOT have to match the USERID) to avoid conflicts (IE two JSMITH users).

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH

Original Message:
Sent: Wed May 19, 2021 05:01 PM
From: mx pro
Subject: Maximo SSO with multiple Identity Providers

Hello guys,
We want to have SSO in Maximo. We have are implementing Maximo 7.6 instance with multiple identity providers (e.g. Azure AD & Ping Identity)
Can any one help and guide... is that possible.. if yes then how and all?

Regards...

------------------------------
mx pro
ON
------------------------------

#AssetandFacilitiesManagement
#Maximo

Thanks Steven,
Can you and I have a call.
I need to clarify some things, which i am not getting

waiting your response

------------------------------
mx pro
------------------------------

Original Message:
Sent: Tue May 25, 2021 10:59 AM
From: Steven Shull
Subject: Maximo SSO with multiple Identity Providers

Yes, you can have some users who use Azure AD and some in Ping Identity (or any other Identity Provider). Just be aware that both providers could login with the same user. IE if you have a MAXADMIN in both providers and launch into Maximo, both will be allowed. There is no restricting user A to Azure AD for example. That's why ensuring the loginid is unique is critical to configuring two identity providers.

When using SAML, WebSphere does all the heavy lifting and supports multiple identity providers. See: https://www.ibm.com/docs/en/was-nd/9.0.5?topic=sign-saml-single-scenarios-features-limitations, specifically "Support for single sign-on with multiple identity providers". Maximo is just provided the loginid essentially from WebSphere and then allows the user to login. WebSphere does have limitations, such as only being to redirect to a single identity provider (unless you configure multiple URLs and configure filters to restrict URLs to specific identity providers). But if you launch from an identity provider, you could have 1 or 100 identity providers without issue.

------------------------------
Steven Shull
Director of Development
Projetech Inc

Original Message:
Sent: Tue May 25, 2021 10:38 AM
From: mx pro
Subject: Maximo SSO with multiple Identity Providers

hi Steve,
Interestingly IBM says that it is not possible to have users in different identity providers and then we can still do Single sign on.
So can you elaborate your thing...
You are saying that single sing on can be setup when some of our users are in Azure AD and some are in Ping Identity
Are we on the same page?
if yes can you give a high level solution in easy terms so i can discuss with our vendor and IBM?
I might be repeating but please help
thanks

------------------------------
mx pro

Original Message:
Sent: Thu May 20, 2021 04:18 PM
From: Steven Shull
Subject: Maximo SSO with multiple Identity Providers

Logging into your PC and then launching Maximo without needing to authenticate is never SAML/OpenID to the best of my knowledge. Most of time when you're talking Windows into WebSphere you're talking SPNEGO. If you're using SPNEGO to access Maximo, you've gone down the wrong path. It's bad, don't do it. 

Utilizing tools like Okta, Ping Identity, and Azure AD, you typically have a dashboard in the product that shows all apps you have access to as a user. You authenticate into this "dashboard" and then launch into those products. Depending on the rules you setup will determine whether another factor, username/password, etc. is required each time or just into the dashboard. 

See this video for Ping specifically (towards the end especially) to get an idea of what I'm talking about. https://www.youtube.com/watch?v=lHHL6E1kG0o&t=3s. 

Now all of these products allow you to synchronize credentials from AD so your same AD username/password can be your username/password in these products. But AD by design has to work offline (need to use your PC on a plane for example) and people are going to connect from devices that aren't part of your domain (such as from a Mac, iPhone, Android, etc.). Good security practices also require 2 factor into systems, especially from high risk devices or locations, which is where Azure AD, Okta, Ping Identity, etc. really shine. Utilizing conditional access policies, you can block access from certain areas (such as out of the country), block them from accessing it outside of certain time windows (good for temporary employees), you can require them to accept a 2 factor prompt, etc. There's a lot of capabilities when you use the products. But in all of those, you're going to be accessing that web dashboard and then launching into the app for the most part. 

Now some products (including WebSphere) can redirect to your identity provider and if the user has already authenticated it'll log them in without authenticating again. But they're going to have to authenticate into your identity provider. 

As for the setup, utilize this for the Maximo specifics: Implementing Security Assertion Markup Language (SAML) security in Maximo Asset Management - IBM Documentation

Utilize this for the WebSphere specifics: SAML web single sign-on - IBM Documentation

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH

Original Message:
Sent: Thu May 20, 2021 03:48 PM
From: mx pro
Subject: Maximo SSO with multiple Identity Providers

thanks Steven,
so what i understood from u is that in our scenario, group 1 users (from Azure AD) and group 2 users (from Ping Identity) both groups users when they login to their systems (meanning login to Windows) then some identifier is sent from the Identity authentication system to Maximo and rest is seamless and all the users can then login to maximo, without again providing the credentials.
is my understanding correct

my next question s while doing the configuration for SSO (Single Sign On), we would require to do 2 interfaces (or something)... and both configs will be as if there was config with one system

can you clarify the config part also ...

appreciate ur guidance...


------------------------------
mx pro
ON

Original Message:
Sent: Thu May 20, 2021 10:57 AM
From: Steven Shull
Subject: Maximo SSO with multiple Identity Providers

1) Yes, if you configure multiple identity providers WebSphere will handle as many IdP initiated logins as you want. With SAML, you're essentially just providing the loginid to Maximo and that's it. As long as the login id matches what the identity provider is sending to WebSphere, you're good.
2) The redirect piece was what I mentioned here "WebSphere has a redirect function to take the user to an identity provider when not authenticated that won't support redirecting to 2 unless you setup separate URLs...". If you setup separate URLs (IE url-idp1.mydomain.com and url-idp2.mydomain.com) you could redirect to different identity providers with some filter rules but otherwise it can only redirect to one. So if you have users that want to go to url.mydomain.com/maximo, it will only redirect to 1 identity provider if they're not authenticated because it can't determine where to route them. 

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH

Original Message:
Sent: Thu May 20, 2021 10:47 AM
From: Biplab Choudhury
Subject: Maximo SSO with multiple Identity Providers

Hi Steve,

This is an interesting suggestion. 
There are 2 type of SSO Initiation( I am talking about SAML):
1. IDP Initiated : This is where User tries to access Maximo from a IDP's portal. Maximo/websphere understands and authentication the SAML Response from 2 different idp as per the configuration you have mentioned. Is my understanding correct?
2. Maximo/Webspehre Initiated : In this case User clicks on a Maximo url and depending on the redirect java code Maximo reaches out to the appropriate IDP. How does this process work if we have configured 2 IDP urls? I do not remember a way to write a code which would smartly decide on which idp to send the SAML request. Would you please explain this bit more?

Thanks,
Biplab

------------------------------
Biplab Choudhury
Maximo Consultant
Tata Consultancy Services
Melbourne

Original Message:
Sent: Thu May 20, 2021 08:58 AM
From: Steven Shull
Subject: Maximo SSO with multiple Identity Providers

We actually do this quite a bit. WebSphere has a redirect function to take the user to an identity provider when not authenticated that won't support redirecting to 2 unless you setup separate URLs, but if you're comfortable with one of them having to launch from the Identity Provider it's not much different than setting up one identity provider. When you're setting up the identity provider you have a lot of properties you configure on the trust interceptor. You'll have a sso_1.idp_1.SingleSignOnUrl for example. But you can easily create a second identity provider (IE sso_1.idp_2.SingleSignOnUrl) with the settings of the other identity provider utilizing a similar process to the first. 

We suggest utilizing email address as the login id (which does NOT have to match the USERID) to avoid conflicts (IE two JSMITH users).

------------------------------
Steven Shull
Director of Development
Projetech Inc
Cincinnati OH

Original Message:
Sent: Wed May 19, 2021 05:01 PM
From: mx pro
Subject: Maximo SSO with multiple Identity Providers

Hello guys,
We want to have SSO in Maximo. We have are implementing Maximo 7.6 instance with multiple identity providers (e.g. Azure AD & Ping Identity)
Can any one help and guide... is that possible.. if yes then how and all?

Regards...

------------------------------
mx pro
ON
------------------------------

#AssetandFacilitiesManagement
#Maximo

We have recently done Azure AD SSO for a customer and it works well including SSO to Maximo Anywhere.  In theory you should be able to set up multiple identity providers and extend as you desire as this is supported by websphere, we have doen this in WAS but not specifically for Maximo. Part of implementing SAML is to use Application Server Security; Essentially Maximo relies on WAS for Authentication.  As per the post by @Steven Shull , unique identity is key in making this work.  SAML will assert an identity and WAS will trust that asserted identity.  EG If in AD the asserted identity is 'JSMITH' (representing Jane Smith fomr directory a) and in Directory B asserts 'JSMITH' (representing John Smith from directory b) then when 'JSMITH' gets to maximo which user does maximo use for the JSMITH identity?  Maximo wont care and both users woudl access as if they were the maximo JSMith user (which could be John or Jane or Jack if JSMITH in Maximo is neither of the above).  This would rely on the IdP asserting the identity and presenting it to Maximo.  I'm not sure how WAS would know which directory to route the request to if the use came to WAS/Maximo as unauthenticated.  It's possible you may be able to so something tricky between web server and the SAML filter to end up with a unique url that routes to a specific IdP based on information in the originating request URL.   

It may also be worth considering your identiy management beyond Maximo at an Organisaton level.  I'm not sure what your specific use case is in this scenario.  There are systems that will combine different directories into a single virtual directory and manage user duplicaton/merging and ensure unique identity etc.  We have also worked with these before but not specifically with Maximo, the principal is the same.  Some organisations do Identiy Management very well and others don't, I see it as a critical component and of increasng importance where SSO and integrated  systems are becoming the norm.  Your identity touches every part of an Org and can create downstream issues if not implemented well.

also thanks to @Biplab Choudhury​​​ who's posts helped us with our formentioned Azure AD integration.​​

------------------------------
Michael Kasteel
Director
ISW
0402830412
------------------------------

Original Message:
Sent: Wed May 19, 2021 05:01 PM
From: mx pro
Subject: Maximo SSO with multiple Identity Providers

Hello guys,
We want to have SSO in Maximo. We have are implementing Maximo 7.6 instance with multiple identity providers (e.g. Azure AD & Ping Identity)
Can any one help and guide... is that possible.. if yes then how and all?

Regards...

------------------------------
mx pro
ON
------------------------------

#AssetandFacilitiesManagement
#Maximo

Hi Michael,

Thanks for the mention. It gives me great pleasure to see I was able to share my knowledge which helped you and many other.

Thanks,
Biplab

------------------------------
Biplab Choudhury
Maximo Consultant
Tata Consultancy Services
------------------------------

Original Message:
Sent: Tue May 25, 2021 09:16 PM
From: Michael Kasteel
Subject: Maximo SSO with multiple Identity Providers

We have recently done Azure AD SSO for a customer and it works well including SSO to Maximo Anywhere.  In theory you should be able to set up multiple identity providers and extend as you desire as this is supported by websphere, we have doen this in WAS but not specifically for Maximo. Part of implementing SAML is to use Application Server Security; Essentially Maximo relies on WAS for Authentication.  As per the post by @Steven Shull , unique identity is key in making this work.  SAML will assert an identity and WAS will trust that asserted identity.  EG If in AD the asserted identity is 'JSMITH' (representing Jane Smith fomr directory a) and in Directory B asserts 'JSMITH' (representing John Smith from directory b) then when 'JSMITH' gets to maximo which user does maximo use for the JSMITH identity?  Maximo wont care and both users woudl access as if they were the maximo JSMith user (which could be John or Jane or Jack if JSMITH in Maximo is neither of the above).  This would rely on the IdP asserting the identity and presenting it to Maximo.  I'm not sure how WAS would know which directory to route the request to if the use came to WAS/Maximo as unauthenticated.  It's possible you may be able to so something tricky between web server and the SAML filter to end up with a unique url that routes to a specific IdP based on information in the originating request URL.   

It may also be worth considering your identiy management beyond Maximo at an Organisaton level.  I'm not sure what your specific use case is in this scenario.  There are systems that will combine different directories into a single virtual directory and manage user duplicaton/merging and ensure unique identity etc.  We have also worked with these before but not specifically with Maximo, the principal is the same.  Some organisations do Identiy Management very well and others don't, I see it as a critical component and of increasng importance where SSO and integrated  systems are becoming the norm.  Your identity touches every part of an Org and can create downstream issues if not implemented well.

also thanks to @Biplab Choudhury​​​ who's posts helped us with our formentioned Azure AD integration.​​

------------------------------
Michael Kasteel
Director
ISW
0402830412

Original Message:
Sent: Wed May 19, 2021 05:01 PM
From: mx pro
Subject: Maximo SSO with multiple Identity Providers

Hello guys,
We want to have SSO in Maximo. We have are implementing Maximo 7.6 instance with multiple identity providers (e.g. Azure AD & Ping Identity)
Can any one help and guide... is that possible.. if yes then how and all?

Regards...

------------------------------
mx pro
ON
------------------------------

#Maximo
#AssetandFacilitiesManagement