Maximo

Hi Aditi,

Maximo, like any other enterprise-grade secure solution, requires authentication before it can authorize a user to access any of its applications or modules. In simple terms, authentication ensures that the user is who they claim to be, while authorization determines what actions or data that verified user can access.

There is no scenario where authorization can occur without authentication—this is a fundamental security principle. For example, before a maintenance planner can approve a work order in Maximo, the system first verifies their identity using credentials (such as a username and password, or a token). Only after successful authentication does Maximo check the user’s assigned security groups or roles to authorize access to specific applications like Work Order Tracking, Inventory, or Purchasing.

When Single Sign-On (SSO) or LDAP/Active Directory (AD) integration is configured, it might appear that users are logging into Maximo without entering credentials. However, in reality, authentication still takes place—just not directly within Maximo. Instead, the verification happens through an external identity provider (such as Azure AD, IBM Security Verify, or Okta), and Maximo trusts the session token provided by that service.

For example:

• In an enterprise using LDAP, when a technician logs into their Windows workstation, their credentials are validated by Active Directory. When they later open Maximo, the system recognizes their AD session and seamlessly authenticates them without re-entering credentials.

• Similarly, with SSO using SAML or OIDC, a manager might access Maximo via a corporate portal. The authentication is handled by the organization’s identity provider, which then issues a secure token that Maximo accepts for login.

In both cases, authentication still occurs—just through federated identity mechanisms—ensuring that Maximo remains compliant with enterprise security standards and audit requirements.

There is a way to bypass that first MAS "Please choose your MAS App" and go directly to Manage.
This does not alter the authentication/authorization scheme.  In an OKTA implementation I use this as my target URL.

https://auth.<mas-domain>/idplogin/loginpage?idp=saml:default-saml&wsid=main&appid=manage

IDP specified your Identity Provider.  If you don't use SAML, you can use local or ldap
The wsid is your MAS <workspaceid>, in this example main and the appid is, in this case manage.
The default tagging was intended to provide the "log off/log back in" behaviour or returning me to the SAML page, but I'm not sure that works as I expected it to.

A MAS Local Authenticated direct login URL would look like
https://auth.<mas-domain>/idplogin/loginpage?idp=local&wsid=main&appid=manage

I still have to authorize, but I get taken directly to the Manage application now.

Hi Scott, 

As I said my initial reply that it might look like we are bypassing authentication but that's not the case. If we look your response carefully then it gives us the answer. Below is my attempt to elaborate the URL from your post :

idp=saml:default-saml →
Specifies the Identity Provider (IdP) used for user authentication.

• saml indicates that the authentication protocol in use is SAML (Security Assertion Markup Language), which enables Single Sign-On (SSO) across applications.

• default-saml refers to the default SAML configuration defined within the Maximo Application Suite (MAS), typically linked to an enterprise Identity Provider such as Azure Active Directory (Azure AD), Okta, or IBMid.