Maximo

 View Only

 Implementing MFA Without IdP for External Maximo Users in MAS 9

Ammar Hamed's profile image
Ammar Hamed posted Thu January 30, 2025 03:14 AM

We have a client who wants to implement Multi-Factor Authentication (MFA) for external users (contractors) accessing Maximo in an MAS 9 environment. Normally, we would rely on SAML authentication with an Identity Provider (IdP) that supports MFA. However, due to the client's internal policy, using an IdP is not an option.

Proposed Approach:

Since SAML authentication is not an option, we are considering adding an intermediate page between the MAS Core login page and the Maximo Manage Start Center. This page would prompt users to enter a one-time code sent to their mobile device. Once verified, they would be redirected to the Maximo Start Center.

Questions:

  1. Is this approach technically feasible in MAS 9?
  2. What is the best way to integrate this additional authentication step? Specifically, can we introduce a custom .jsp page for this purpose, and if so, how would it be implemented within the MAS framework?
  3. Are there alternative solutions within the MAS architecture that could help achieve this without using an IdP?

Any guidance, best practices, or implementation recommendations would be highly appreciated.

Yogesh Bhatt's profile image
Yogesh Bhatt posted Wed July 23, 2025 11:08 PM

Hi Ammar, I am also wondering the same, Did you got some answers yet? 

Witold Wierzchowski's profile image
Witold Wierzchowski IBM Champion posted Fri July 25, 2025 02:41 AM

Hi,

I'm assuming You cannot integrate with the customer's IdP. One approach You can use is to deploy Keycloak on OpenShift and use that as IdP. You would then create local users in Keycloak and eitehr use SCIM to sync those to MAS or create them manually in MAS as well. Keycloak can handle MFA for You.

BR,

Related Content