Maximo

Maximo-ICON.png

Maximo

Learn how to increase the operational efficiency of the assets you manage, and improve overall equipment effectiveness by using IoT data and AI.

Maximo-ICON.png

TRIRIGA

Reduce the operational costs of the facilities you manage, and create more engaging occupant experiences through the application of IoT data and AI.

Maximo-ICON.png

Engineering

Learn how IoT data and AI are being applied to transform the end-to-end engineering lifecycle.

Expand all | Collapse all

SSO with Azure AD

  • 1.  SSO with Azure AD

    Posted Thu July 23, 2020 04:49 PM
    Team,

    Has anyone completed SSO implementation in Maximo using Microsoft Azure AD ? 
    If so, can you please share steps or experiences ? did you enable using SAML or OAuth ?
    Did you face any implementation challenges ?

    Any leads will be helpful, 
    Thanks 
    Venkat

    ------------------------------
    Venkataraman Guruswamy
    ------------------------------


  • 2.  RE: SSO with Azure AD

    Posted Mon July 27, 2020 10:00 AM
    We setup Maximo SSO on ADFS.  At some point it will be moved to Azure.
    I would be interested in notes on Azure as well and would be happy to talk about ADFS.

    ------------------------------
    Chris Schulz
    ------------------------------



  • 3.  RE: SSO with Azure AD

    Posted Tue July 28, 2020 02:44 AM
    Hi,

    I have recently implemented SAML based SSO using Azure as the Identity provider for Maximo, Maximo Work Center and Maximo Anywhere.
    I can't tell you about the changes or steps required to do a SAML based SSO Azure but here below  is a link which has the steps for Maximo:
    https://salientprocess.zendesk.com/hc/en-us/articles/115006409528-Enabling-SAML-SSO-on-Websphere-8-5-with-a-Shibboleth-IDP

    Once the above steps are followed then you can access Maximo from Azure portal which is called as IDP initiated SAML response.

    To enable SSO from Maximo url( i.e. Service Provider initiated SAML SSO ) you need to follow the following url:
    https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/tsec_enable_saml_sp_sso.html

    Once all this is done then your SSO setup is done for Maximo.


    Thanks,
    biplab


    ------------------------------
    Biplab Choudhury
    Maximo Consultant
    Tata Consultancy Services
    Melbourne
    ------------------------------



  • 4.  RE: SSO with Azure AD

    Posted Wed August 05, 2020 10:19 AM

    Hi Chris,

    We currently use LDAP, but will likely need to move to ADFS as we're currently moving the org to Office365. 

    Any tips for implementing SSO via ADFS?



    ------------------------------
    Mischa Fubler
    ------------------------------



  • 5.  RE: SSO with Azure AD

    Posted Thu August 06, 2020 03:47 AM
    Hi there,

    We have successfully implemented Maximo SAML with Azure AD DS

    One of the issues is that Maximo doesn't support SAML with BIRT, so you still need LDAP if you have dedicated BROS JVMs

    Use security domains in WebSphere to enable separate authentication methods per cluster

    Regards

    ------------------------------
    Kevyn Williams
    Cloud Infrastructure Manager
    ------------------------------



  • 6.  RE: SSO with Azure AD

    Posted Thu August 06, 2020 09:29 AM
    Hey Chris and Mischa,

    Any tips and or any documentation on SSO implementation. Also can you please share any best practices with these configuration and how the architect components should be align in ability to enable integrations and work centers with SSO.

    I'm more gearing towards SAML, and we have all type of integration channel like XML, webservice, REST, interface tables, Maximo Anywhere, Work centers.

    Any help will be appreciated in order to plan this efforts for successful execution.

    Thanks,
    Sushant

    ------------------------------
    Sushant Chalke
    Sr. Principal Consultant
    The Mosaic Company
    tampa FL
    8133731129
    ------------------------------



  • 7.  RE: SSO with Azure AD

    Posted Thu August 06, 2020 10:27 AM
    Hi Sushant,

    I have recently implemented SAML based based for Maximo, Maximo Work Center and Maximo Anywhere 763.
    SAML SSO for Anywhere will be tricky and requires customization of anywhere authentication process. 

    Maximo and Work Center SAML SSO is achievable without much customization ( you might have to write 1 java class).
    Here below is a document for Maximo SAML SSO configuration ( which I have already shared in the same post in my previous response):
    https://salientprocess.zendesk.com/hc/en-us/articles/115006409528-Enabling-SAML-SSO-on-Websphere-8-5-with-a-Shibboleth-IDP

    Work Center SSO can be achieved by following LDAP Configurations suggested in below tech note:
    https://www.ibm.com/support/pages/deploying-maximo-work-centers-ldap-and-non-ldap

    Integration : You would need to setup a MIF cluster/server which will handle the integration of Maximo to external system. I would suggest using Security domains in websphere to setup SSO based UI cluster and Non SSO based MIF clusters.
    Web service URLs would be using MIF cluster based URLs.
    The only tricky part are REST API and Work Center.
    OSLC webapp url system property has to be the SSO URL of UI server as the same will be used by Work Center. Otherwise work center SSO will not work.
    But, the same SSO url cannot be used for REST. The work around for it will be to use  X-public-uri header.
    X-Public-uri header will have url of the MIF server.
    https://developer.ibm.com/static/site-id/155/maximodev/restguide/Maximo_Nextgen_REST_API.html
    Above IBM document has more details on API Keys and X-public-uri for Maximo next-gen Rest API.

    Hopefully this would be helpful!

    ------------------------------
    Biplab Choudhury
    Maximo Consultant
    Tata Consultancy Services
    Melbourne
    ------------------------------



  • 8.  RE: SSO with Azure AD

    Posted Thu August 06, 2020 05:44 PM
    Thanks Sushant,

    How about the user sync? Normally this is done via VMMSYNC o LDAPSYNC crontasks, but from what I've read, this won't be possible using SAML only.
    Do you have any specifics on that approach?

    ------------------------------
    Franklin Orozco
    GBM
    San Jose
    ------------------------------



  • 9.  RE: SSO with Azure AD

    Posted Thu August 06, 2020 07:43 PM
    Hi Franklin,

    User Sync  either has to be integrated from external IAM systems( we did this) or you can setup LDAP/AD from a cron cluster to sync user and groups.

    Thanks,
    Biplab

    ------------------------------
    Biplab Choudhury
    Maximo Consultant
    Tata Consultancy Services
    Melbourne
    ------------------------------



  • 10.  RE: SSO with Azure AD

    Posted Wed August 26, 2020 08:27 PM
    Hi Biplab,

    Your above post has been a big help but I'm confused as to what goes in the sso_1.sp.acsUrl property.  If my Maximo URL is "https://example.com:443/maximo", would I set it to "https://example.com:443/samlsps/maximo"?  The note about "multiple, similar entry points for your SAML workflows" in the IBM article about "Enabling your system to use the SAML web single sign-on (SSO) feature" confused me.

    Thanks.

    ------------------------------
    Julio Hernandez
    ------------------------------



  • 11.  RE: SSO with Azure AD

    Posted Thu August 27, 2020 01:53 AM
    Hi Julio,

    That is a good question!
    sp.acsUrl  is the URL that will be used by IDP to redirect successful SAML responses. It has to be unique and there is no restriction on URL string. The expected format is 'https://<hostname>:<sslport>/samlsps/<any URI pattern string>' to avoid any unforeseen behavior.
    This is useful when you have multiple ACS installed for multiple Identity providers.
    This is also important in terms of initiated SAML from Service provider( i.e. Maximo).

    Thanks,
    Biplab

    ------------------------------
    Biplab Choudhury
    Maximo Consultant
    Tata Consultancy Services
    Melbourne
    ------------------------------



  • 12.  RE: SSO with Azure AD

    Posted Fri August 28, 2020 04:30 PM
    Thanks for the response.  Just to be clear, are you saying that if my Maximo URL is "example.com:443/maximo", I should set it to "example.com:443/samlsps/*"?

    ------------------------------
    Julio Hernandez
    ------------------------------



  • 13.  RE: SSO with Azure AD

    Posted Fri August 28, 2020 04:33 PM
    And I should include "https://" in front of the HostName?

    ------------------------------
    Julio Hernandez
    ------------------------------



  • 14.  RE: SSO with Azure AD

    Posted Sat August 29, 2020 01:26 PM
    Hi Julio,

    Yes, you are right! 
    I used as below:
    "https://example.com/samlsps/sso"



    ------------------------------
    Biplab Choudhury
    Maximo Consultant
    Tata Consultancy Services
    Melbourne
    ------------------------------



  • 15.  RE: SSO with Azure AD

    Posted Thu September 03, 2020 11:20 AM
    Hi Biplab,

    https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/tsec_enable_saml_sp_sso.html
     com.ibm.ws.wssecurity.saml.common.util.UTC the class used in this sample can be found in the (was_home)/plugins directory - Did you find it which Jar is the one that contains this class file? 

    Also, apart from https://salientprocess.zendesk.com/hc/en-us/articles/115006409528-Enabling-SAML-SSO-on-Websphere-8-5-with-a-Shibboleth-IDP and https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/tsec_enable_saml_sp_sso.html do we need to do any other change as well on WebSphere? Do we need to enable Application Server Security on WAS in Global Security? 

    Please suggest.

    Thanks,
    Prashant


    ------------------------------
    Prashant Sharma
    ------------------------------



  • 16.  RE: SSO with Azure AD

    Posted Fri September 04, 2020 04:38 AM
    Hi Prashant,

    UTC date class is good catch. I forgot about it as I ended up not using it.
    Eventually, I used the Java SimpleDateFormat class to convert the date into the right UTC format.

    Websphere security Domain is very important if you are using a clustered environment. I defined a security domain for UI cluster and applied all the SSO changes to that particular Security domain. This enables you to keep using the MIF/CRON servers in the non SSO connections.

    Thanks,
    Biplab

    ------------------------------
    Biplab Choudhury
    Maximo Consultant
    Tata Consultancy Services
    Melbourne
    ------------------------------



  • 17.  RE: SSO with Azure AD

    Posted Fri September 18, 2020 06:48 AM
    Hey Biplab,

    During redirection to sso_1.idp_1.SingleSignOnUrl , did you get error - AADSTS750056: SAML message was not properly base64-encoded.

    Please advice, how did you fix it in case you got it.

    Thank You!

    ------------------------------
    Prashant Sharma
    ------------------------------



  • 18.  RE: SSO with Azure AD

    Posted Fri September 18, 2020 07:39 AM
    Hi Prashant,

    Replying from mobile.

    The class file which you wrote creates the creates the parameter string which sent to the saml regquest generator.  Use base64 encoder classes to encode that string into base64 format. That should resolve the problem.

    Thanks,
    Biplab