Special thanks to IBM Security Expert Labs Professional Simon Walker for contributing to this blog.
In this blog you will learn how to configure SAML Integration in the MaaS360 portal so MaaS360 portal administrators can take advantage of your existing Identify Provider (IdP) to access the MaaS360 portal using SSO. This will enable your administrators who are logging into multiple services to log in once and not have to worry about entering a password multiple times. This will also enable your administrators to take advantage of MFA that you have enabled through your IdP.
MaaS360 uses IBM Security Verify as a Service Provider to seamlessly integrate MaaS360 with your IdP. In fact, we create a free IBM Security Verify tenant as part of the MaaS360 portal admin SAML configuration; you just provide an IBMid and the IBM Security Verify tenant is created for you.
In the example we provide here, we will integrate with Azure AD as the IdP. But you can also integrate with ADFS, Ping, Okta, and more. The set up will be similar, but each IdP will have their own steps to register the application.
Considerations:
- Your existing MaaS360 administrators that use an IBMid or MaaS360 Local Credentials will not be affected.
- When you set up SAML integration for the MaaS360 Portal Administrators, the same configuration can be used for Enrollments, but it's not required. Enrollment authentication will default to the User Record Auth type in the MaaS360 User Directory, or the Override that is set in Basic Enrollment Settings.
Prerequisites:
- At least one Azure User that you will use as an MaaS360 Administrator. Ensure the Azure user has an email address assigned.
- An IBMid that can be used to create the free IBM Security Verify tenant (Note: you can create this as part of the configuration step)
Tasks:
- Enable MaaS360 Federated Single Sign-On
- Register Enterprise Application in your Identity Provider
- Complete MaaS360 SAML Single Sign-On
- Review Application Settings in IBM Security Verify
- Create a MaaS360 Administrator
- Test SAML integration
- Review Verify Authentication Report
Configuration
Enable MaaS360 Federated Single Sign-on
In the MaaS360 portal, go to Setup>Settings>Administrator Settings> Advanced
Select Configure Federated Single Sign-On
Select Use SAML for Single Sign-On
The Configure SAML based Cloud Directory pop up is displayed.
Enter an IBM ID to create a IBM Security Verify Tenant. You have the option of creating an IBM ID here too.
After you enter the IBMID and select submit, the IBM Security Verify tenant is created which will serve as the Service Provider for your MaaS360 tenant . You are returned to the Login Settings.
Note: In some cases based on timing, you might need to select Configure Federated Single Sign On and Use SAML for Single Sign-On if they are not selected, but the Verify settings will be there, regardless.
Make note of the Custom Login URL, Assertion Consumer Service URL, and Entity ID from the Log In Settings. You will need these to configure the IdP and then test authentication.
The Custom Login URL is what your administrators will use to login to the MaaS360 portal after the SAML integration is completed.
IBM Security Verify is the Service Provider and in this case, Azure AD is the IdP. When you login to the MaaS360 portal using the Custom Logon URL that was generated, IBM Security Verify will handle the SAML integration with your IdP.
Register Enterprise Application in your Identity Provider
Login to the Azure Administrator portal: https://aad.portal.azure.com
In Azure Active Directory, select Enterprise Applications> All Applications.
Select +New Application.
The Browse Azure AD Gallery page is displayed.
Select +Create you own application.
The Create you own application page display.
Type the application name, for example you can use MaaS360 Portal Admin.
Select Integrate any other application you don't find in the gallery (Non-gallery)
Click Create.
Wait for the application to be added.
The new App you created is displayed. Select Getting Started> Set up single sign-on
In the Select a single sign-on method, click SAML
The Set up Single Sign-on with SAML page is displayed.
Select Edit update the following.
Identifier (Entity ID):
Click Add Identifier and copy/paste the Entity ID from the MaaS360 Login Settings.
https://accountid-maas360.verify.ibm.com/saml/sps/saml20sp/saml20
Reply URL (Assertion Consumer URL):
Click Add reply URL and copy/paste the Assertion Consumer URL from the MaaS360 Login Settings.
https://accountid-maas360.verify.ibm.com/saml/sps/saml20sp/saml20/login
Sign on URL:
Enter the Logon URL from the MaaS360 Login Settings
https://m3.maas360.com/login?custID=accountid
Click Save.
Select
No, I'll test later
Assign Users and Groups to the new Enterprise Application
The following instructions are for testing one admin user. Work with your Azure administrator to assign users and groups based on your company's requirements.
The new application MaaS360 Portal Admin should be displayed in the Azure Active Directory portal in
Enterprise applications> MaaS360 Portal Admin
Click
Users and groups.
Click
+ Add user/group
Below Users, select
None Selected
Use the Search panel to find a user that you want to assign to MaaS360 Portal Admin application and which will be used to test signing into the MaaS360 portal using the SAML integration.
Select a User by highlighting it and clicking
Select.
Review the User(s) selected and click
Assign.
Confirm the User(s) have been assigned to the MaaS360 Portal admin application.
The Federation Metadata XML file is downloaded to your computer.
Complete the MaaS360 SAML Single Sign-on
Return to the Login Settings in the MaaS360 Portal. If you're session timed out, you might need to select Setup>Settings>Administrator Settings> Advanced>
Configure Federated Single Sign-On and Use SAML for Single Sign On again. Your configuration was saved even if your session timed out.
In the Identity Provider Name, type the IdP name. This can be any name your choose. The name will display in the IBM Security Verify authentication reports.
In the Identity Provider Metadata, browse and select the Federation Metadata XML downloaded from Azure in the prior steps.
Click
Save.
You can confirm the settings two ways:
1. Go to
Setup > Settings> Administrator Settings> Advanced
2. Go to
Setup>Settings>Directory and Authentication. A new authentication type is added Cloud Hosted Directory with Type Corporate (SAML based) in the User Authentication Setup.
Note: One SAML Integration per MaaS360 portal is supported. The SAML integration set up for portal admins can also be used for enrollments, but note that enrollment authentication type will always use the authentication type set in the MaaS360 user record, unless you select an override in Setup>Settings>Basic Enrollment Settings.
MaaS360 has API integrations with Azure AD for enrollments which eliminates the need for the SAML integration for enrollments using Azure AD. If you wanted to use Okta or Ping for enrollments, then SAML integration is required and the SAML configuration can be used for both enrollments and portal admin logins.
Review Application Settings in IBM Security Verify A free IBM Security Verify tenant was created for your when you configured the SAML integration in the MaaS360 portal. You can log into the Verify tenant to review the application settings that were automatically created for you to support the SAML integration with MaaS360 using your IdP and also review authentication reports.
Open a new browser tab and log in using the IBMid you used when creating the IBM Security Verify tenant:
https://
acccountid-maas360.verify.ibm.com/ui/admin
Go to Applications and confirm the MaaS360 Login Application was created.
Create a MaaS360 Administrator to test your set up In this section, you will create an administrator in the MaaS360 portal which will use the SAML integration to log into the MaaS360 portal. Your existing administrators that use MaaS360 Local Credentials and IBMid will continue to work.
In the MaaS360 portal, go to
Setup > Administrators
Select
Add Administrator
In Authenticate Using, select
Corporate Credentials
Enter a corporate username and email that match the IdP (in this case, Azure) user record
Click
Next
Add
Roles that meet your requirements.
Click
Next and
Save
SAML Testing
In this section, we use Firefox and the SAML Tracer extension to test the portal administrator login to ensure SAML calls are being used when logging in.
Open a private Firefox Window and make sure the SAML Tracer extension is loaded.
Type portal.office.com in the browser to login to Microsoft.
Sign in with the MaaS360 / SAML User.
You are prompted for a password, and if you enabled MFA, you will be prompted for a second factor.
The user is now signed in. This simulates the user signing into another service before attempting to log into MaaS360 portal, in order to confirm SSO is working.
In a new browser tab in the same Firefox Window enter the MaaS360 URL for SAML signin from the Setup>Settings>Administrator> Advanced>Log in Settings> Log-On URL:
https://m3.maas360.com/login?custID=
accountid
If the configuration has been completed successfully, the SAML request will be sent between Azure and IBM Security Verify and will be seen in the SAML tracer and the administrator will be logged in without having to enter credentials.
Note: The first time an administrator logs into MaaS360, they will have to update their Profile.
Complete the Profile details and Click
Save.
Logon to MaaS360 is completed.
Review Verify Authentication ReportLog into the IBM Security Verify portal that was created for you.
https://
acccountid-maas360.verify.ibm.com/ui/admin
The authentication request will show the IdP name that was configured in MaaS360