IBM Security MaaS360

 View Only

Setting up SAML Integration for MaaS360 Portal SSO Access

By Margaret Radford posted Wed July 06, 2022 01:34 PM


Special thanks to IBM Security Expert Labs Professional Simon Walker for contributing to this blog.

In this blog you will learn how to configure SAML Integration in the MaaS360 portal so MaaS360 portal administrators can take advantage of your existing Identify Provider (IdP) to access the MaaS360 portal using SSO. This will enable your administrators who are logging into multiple services to log in once and not have to worry about entering a password multiple times. This will also enable your administrators to take advantage of  MFA that you have enabled through your IdP.   

MaaS360 uses IBM Security Verify as a Service Provider to seamlessly integrate MaaS360 with your IdP. In fact, we create a free IBM Security Verify tenant as part of the MaaS360 portal admin SAML configuration; you just provide an IBMid and the IBM Security Verify tenant is created for you. 

In the example we provide here, we will integrate with Azure AD as the IdP. But you can also integrate with ADFS, Ping, Okta, and more. The set up will be similar, but each IdP will have their own steps to register the application. 

  • Your existing MaaS360 administrators that use an IBMid or MaaS360 Local Credentials will not be affected. 
  • When you set up SAML integration for the MaaS360 Portal Administrators, the same configuration can be used for Enrollments, but it's not required. Enrollment authentication will default to the User Record Auth type in the MaaS360 User Directory, or the Override that is set in Basic Enrollment Settings.
  • At least one Azure User that you will use as an MaaS360 Administrator. Ensure the Azure user has an email address assigned. 
  • An IBMid that can be used to create the free IBM Security Verify tenant (Note: you can create this as part of the configuration step) 
  1. Enable MaaS360 Federated Single Sign-On
  2. Register Enterprise Application in your Identity Provider
  3. Complete MaaS360 SAML Single Sign-On
  4. Review Application Settings in IBM Security Verify
  5. Create a MaaS360 Administrator
  6. Test SAML integration
  7. Review Verify Authentication Report


Enable MaaS360 Federated Single Sign-on 

In the MaaS360 portal, go to Setup>Settings>Administrator Settings> Advanced
Select Configure Federated Single Sign-On 

Select Use SAML for Single Sign-On 

The Configure SAML based Cloud Directory pop up is displayed.


Enter an IBM ID to create a IBM Security Verify Tenant. You have the option of creating an IBM ID here too.  

After you enter the IBMID and select submit,  the IBM Security Verify tenant is created which will serve as the Service Provider for your MaaS360 tenant . You are returned to the Login Settings.
Note: In some cases based on timing, you might need to select  Configure Federated Single Sign On and Use SAML for Single Sign-On
if they are not selected, but the Verify settings will be there, regardless. 

Make note of the Custom Login URL, Assertion Consumer Service URL, and Entity ID from the Log In Settings. You will need these to configure the IdP and then test authentication.
The Custom Login URL is what your administrators will use to login to the MaaS360 portal after the SAML integration is completed.
IBM Security Verify is the Service Provider and in this case, Azure AD is the IdP.  When you login to the MaaS360 portal using the Custom Logon URL that was generated, IBM Security Verify will handle the SAML integration with your IdP.

Register Enterprise Application in your Identity Provider

Login to the Azure Administrator portal:

In Azure Active Directory, select Enterprise Applications> All Applications. 
Select +New Application.
The Browse Azure AD Gallery page is displayed.
Select +Create you own application.
The Create you own application page display. 
Type the application name, for example you can use MaaS360 Portal Admin.
Select Integrate any other application you don't find in the gallery (Non-gallery)
Click Create.
Wait for the application to be added. 

The new App you created is displayed. Select Getting Started> Set up single sign-on

In the Select a single sign-on method, click SAML
The Set up Single Sign-on with SAML page is displayed. 
Select Edit update the following. 

Identifier (Entity ID):
Click Add Identifier and copy/paste the Entity ID from the MaaS360 Login Settings.

Reply URL (Assertion Consumer URL):
Click Add reply URL and copy/paste the Assertion Consumer URL from the MaaS360 Login Settings.

Sign on URL: 
Enter the Logon URL from the MaaS360 Login Settings

Click Save. 

Select No, I'll test later

Assign Users and Groups to the new Enterprise Application

The following instructions are for testing one admin user. Work with your Azure administrator to assign users and groups based on your company's requirements. 
The new application MaaS360 Portal Admin should be displayed in the Azure Active Directory portal in Enterprise applications>  MaaS360 Portal Admin
Click Users and groups
Click + Add user/group
Below Users, select None Selected
Use the Search panel to find a user that you want to assign to MaaS360 Portal Admin application and which will be used to test signing into the MaaS360 portal using the SAML integration. 
Select a User by highlighting it and  clicking Select
Review the User(s) selected and click Assign
Confirm the User(s) have been assigned to the MaaS360 Portal admin application.

Set up Single Sign-On with SAML
Select Single sign-on
Scroll down to section 3 and Download the Federation Metadata XML. This will be used in the MaaS360 portal to complete the SAML integration. 
The Federation Metadata XML file is downloaded to your computer. 

Complete the MaaS360 SAML Single Sign-on

Return to the Login Settings in the MaaS360 Portal. If you're session timed out, you might need to select  Setup>Settings>Administrator Settings> Advanced>
Configure Federated Single Sign-On  and Use SAML for Single Sign On again. Your configuration was saved even if your session timed out. 

In the Identity Provider Name, type the IdP name. This can be any name your choose. The name will display in the IBM Security Verify authentication reports. 
In the Identity Provider Metadata, browse and select the Federation Metadata XML downloaded from Azure in the prior steps. 

Click Save. 
You can confirm the settings two ways:
1. Go to Setup > Settings> Administrator Settings> Advanced 
2. Go to Setup>Settings>Directory and Authentication. A new authentication type is added Cloud Hosted Directory with Type Corporate (SAML based)  in the User Authentication Setup. 
Note: One SAML Integration per MaaS360 portal is supported. The SAML integration set up for portal admins can also be used for enrollments, but note that enrollment authentication type will always use the authentication type set in the MaaS360 user record, unless you select an override in Setup>Settings>Basic Enrollment Settings.
MaaS360 has API integrations with Azure AD for enrollments which eliminates the need for the SAML integration for enrollments using Azure AD.  If you wanted to use Okta or Ping for enrollments, then SAML integration is required and the SAML configuration can be used for both enrollments and portal admin logins. 

Review Application Settings in IBM Security Verify 
A free  IBM Security Verify tenant was created for your when you configured the SAML integration in the MaaS360 portal. You can log into the Verify tenant to review the application settings that were automatically created for you to support the SAML integration with MaaS360 using your IdP and also review authentication reports. 

Open a new browser tab and log in using the IBMid you used when creating the IBM Security Verify tenant:

Go to Applications and confirm the MaaS360 Login Application was created.

Create a MaaS360 Administrator to test your set up 
In this section, you will create an administrator in the MaaS360 portal which will use the SAML integration  to log into the MaaS360 portal. Your existing administrators that use MaaS360 Local Credentials  and IBMid will continue to work.   

In the MaaS360 portal, go to Setup > Administrators
Select Add Administrator
In Authenticate Using, select Corporate Credentials
Enter a corporate username and email that match the IdP (in this case, Azure)  user record 
Click Next
Add Roles that meet your requirements. 
Click Next and Save

SAML Testing
In this section, we use Firefox and the SAML Tracer extension to test the portal administrator login to ensure SAML calls are being used when logging in. 

Open a private Firefox Window and make sure the SAML Tracer extension is loaded. 

Type in the browser to login to Microsoft. 
Sign in with the MaaS360 / SAML User. 
You are prompted for a password, and if you enabled MFA, you will be prompted for a second factor. 
The user is now signed in. This simulates the user signing into another service before attempting to log into MaaS360 portal, in order to confirm SSO is working. 

In a new browser tab in the same Firefox Window enter the MaaS360 URL for SAML signin from the Setup>Settings>Administrator> Advanced>Log in Settings> Log-On URL:
If the configuration has been completed successfully, the SAML request will be sent between Azure and  IBM Security Verify and will be seen in the SAML tracer and the administrator will be logged in without having to enter credentials.
Note:  The first time an administrator logs into MaaS360, they will have to update their Profile.  
Complete the Profile details and Click Save
Logon to MaaS360 is completed. 

Review Verify Authentication Report
Log into the IBM Security Verify portal that was created for you.

The authentication request will show the IdP name that was configured in MaaS360 

1 comment



Wed July 06, 2022 02:03 PM

Im noticing the images are displaying blurry. I will try to get these clearer.