Special thanks to IBM Security Expert Labs Professional Simon Walker for contributing to this blog.
In this blog you will learn how to configure SAML Integration in the MaaS360 portal so MaaS360 portal administrators can take advantage of your existing Identify Provider (IdP) to access the MaaS360 portal using SSO. This will enable your administrators who are logging into multiple services to log in once and not have to worry about entering a password multiple times. This will also enable your administrators to take advantage of MFA that you have enabled through your IdP.
MaaS360 uses IBM Security Verify as a Service Provider to seamlessly integrate MaaS360 with your IdP. In fact, we create a free IBM Security Verify tenant as part of the MaaS360 portal admin SAML configuration; you just provide an IBMid and the IBM Security Verify tenant is created for you.
In the example we provide here, we will integrate with Azure AD as the IdP. But you can also integrate with ADFS, Ping, Okta, and more. The set up will be similar, but each IdP will have their own steps to register the application.
- Your existing MaaS360 administrators that use an IBMid or MaaS360 Local Credentials will not be affected.
- When you set up SAML integration for the MaaS360 Portal Administrators, the same configuration can be used for Enrollments, but it's not required. Enrollment authentication will default to the User Record Auth type in the MaaS360 User Directory, or the Override that is set in Basic Enrollment Settings.
- At least one Azure User that you will use as an MaaS360 Administrator. Ensure the Azure user has an email address assigned.
- An IBMid that can be used to create the free IBM Security Verify tenant (Note: you can create this as part of the configuration step)
- Enable MaaS360 Federated Single Sign-On
- Register Enterprise Application in your Identity Provider
- Complete MaaS360 SAML Single Sign-On
- Review Application Settings in IBM Security Verify
- Create a MaaS360 Administrator
- Test SAML integration
- Review Verify Authentication Report
Enable MaaS360 Federated Single Sign-on
In the MaaS360 portal, go to Setup>Settings>Administrator Settings> Advanced
Select Configure Federated Single Sign-On
Select Use SAML for Single Sign-On
The Configure SAML based Cloud Directory pop up is displayed.
Enter an IBM ID to create a IBM Security Verify Tenant. You have the option of creating an IBM ID here too.
After you enter the IBMID and select submit, the IBM Security Verify tenant is created which will serve as the Service Provider for your MaaS360 tenant . You are returned to the Login Settings.
Note: In some cases based on timing, you might need to select Configure Federated Single Sign On and Use SAML for Single Sign-On if they are not selected, but the Verify settings will be there, regardless.
Make note of the Custom Login URL, Assertion Consumer Service URL, and Entity ID from the Log In Settings. You will need these to configure the IdP and then test authentication.
The Custom Login URL is what your administrators will use to login to the MaaS360 portal after the SAML integration is completed.
IBM Security Verify is the Service Provider and in this case, Azure AD is the IdP. When you login to the MaaS360 portal using the Custom Logon URL that was generated, IBM Security Verify will handle the SAML integration with your IdP.
Register Enterprise Application in your Identity Provider
Login to the Azure Administrator portal: https://aad.portal.azure.com
In Azure Active Directory, select Enterprise Applications> All Applications.
Select +New Application.
The Browse Azure AD Gallery page is displayed.
Select +Create you own application.
The Create you own application page display.
Type the application name, for example you can use MaaS360 Portal Admin.
Select Integrate any other application you don't find in the gallery (Non-gallery)
Wait for the application to be added.
The new App you created is displayed. Select Getting Started> Set up single sign-on
In the Select a single sign-on method, click SAML
The Set up Single Sign-on with SAML page is displayed.
Select Edit update the following.
Identifier (Entity ID):
Click Add Identifier and copy/paste the Entity ID from the MaaS360 Login Settings.
Reply URL (Assertion Consumer URL):
Click Add reply URL and copy/paste the Assertion Consumer URL from the MaaS360 Login Settings.
Sign on URL:
Enter the Logon URL from the MaaS360 Login Settings
Select No, I'll test later
Assign Users and Groups to the new Enterprise Application
The following instructions are for testing one admin user. Work with your Azure administrator to assign users and groups based on your company's requirements.
The new application MaaS360 Portal Admin should be displayed in the Azure Active Directory portal in Enterprise applications>
MaaS360 Portal Admin
Click Users and groups
Click + Add user/group
Below Users, select None Selected
Use the Search panel to find a user that you want to assign to MaaS360 Portal Admin application and which will be used to test signing into the MaaS360 portal using the SAML integration.
Select a User by highlighting it and clicking Select
Review the User(s) selected and click Assign
Confirm the User(s) have been assigned to the MaaS360 Portal admin application.
The Federation Metadata XML file is downloaded to your computer.
Complete the MaaS360 SAML Single Sign-on
Return to the Login Settings in the MaaS360 Portal. If you're session timed out, you might need to select Setup>Settings>Administrator Settings> Advanced>
Configure Federated Single Sign-On and Use SAML for Single Sign On again. Your configuration was saved even if your session timed out.
In the Identity Provider Name, type the IdP name. This can be any name your choose. The name will display in the IBM Security Verify authentication reports.
In the Identity Provider Metadata, browse and select the Federation Metadata XML downloaded from Azure in the prior steps.
You can confirm the settings two ways:
1. Go to Setup > Settings> Administrator Settings> Advanced
2. Go to Setup>Settings>Directory and Authentication.
A new authentication type is added Cloud Hosted Directory with Type Corporate (SAML based) in the User Authentication Setup.
One SAML Integration per MaaS360 portal is supported. The SAML integration set up for portal admins can also be used for enrollments, but note that enrollment authentication type will always use the authentication type set in the MaaS360 user record, unless you select an override in Setup>Settings>Basic Enrollment Settings.
MaaS360 has API integrations with Azure AD for enrollments which eliminates the need for the SAML integration for enrollments using Azure AD. If you wanted to use Okta or Ping for enrollments, then SAML integration is required and the SAML configuration can be used for both enrollments and portal admin logins. Review Application Settings in IBM Security Verify
A free IBM Security Verify tenant was created for your when you configured the SAML integration in the MaaS360 portal. You can log into the Verify tenant to review the application settings that were automatically created for you to support the SAML integration with MaaS360 using your IdP and also review authentication reports.
Open a new browser tab and log in using the IBMid you used when creating the IBM Security Verify tenant:
Go to Applications and confirm the MaaS360 Login Application was created.