Maximo

 View Only
Expand all | Collapse all

SSO with Azure AD

  • 1.  SSO with Azure AD

    IBM Champion
    Posted Thu July 23, 2020 04:49 PM
    Team,

    Has anyone completed SSO implementation in Maximo using Microsoft Azure AD ? 
    If so, can you please share steps or experiences ? did you enable using SAML or OAuth ?
    Did you face any implementation challenges ?

    Any leads will be helpful, 
    Thanks 
    Venkat

    ------------------------------
    Venkataraman Guruswamy
    ------------------------------

    #AssetandFacilitiesManagement
    #Maximo


  • 2.  RE: SSO with Azure AD

    Posted Mon July 27, 2020 10:00 AM
    We setup Maximo SSO on ADFS.  At some point it will be moved to Azure.
    I would be interested in notes on Azure as well and would be happy to talk about ADFS.

    ------------------------------
    Chris Schulz
    ------------------------------

    Original Message


  • 3.  RE: SSO with Azure AD

    IBM Champion
    Posted Tue July 28, 2020 02:44 AM
    Hi,

    I have recently implemented SAML based SSO using Azure as the Identity provider for Maximo, Maximo Work Center and Maximo Anywhere.
    I can't tell you about the changes or steps required to do a SAML based SSO Azure but here below  is a link which has the steps for Maximo:
    https://salientprocess.zendesk.com/hc/en-us/articles/115006409528-Enabling-SAML-SSO-on-Websphere-8-5-with-a-Shibboleth-IDP

    Once the above steps are followed then you can access Maximo from Azure portal which is called as IDP initiated SAML response.

    To enable SSO from Maximo url( i.e. Service Provider initiated SAML SSO ) you need to follow the following url:
    https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/tsec_enable_saml_sp_sso.html

    Once all this is done then your SSO setup is done for Maximo.


    Thanks,
    biplab


    ------------------------------
    Biplab Choudhury
    Maximo Consultant
    Tata Consultancy Services
    Melbourne
    ------------------------------

    Original Message


  • 4.  RE: SSO with Azure AD

    Posted Wed January 13, 2021 11:14 AM
    Hi Biplab,

    You mention the SAML with Maximo Anywhere, but I don't see any links or documentation. Can you share any of that?

    Thank you,
    Scott

    ------------------------------
    Scott Patterson
    SMS
    ------------------------------

    Original Message


  • 5.  RE: SSO with Azure AD

    Posted 2 days ago

    Hi Biplab,

    https://salientprocess.zendesk.com/hc/en-us/articles/115006409528-Enabling-SAML-SSO-on-Websphere-8-5-with-a-Shibboleth-IDP 

    This previous link shared is no longer valid, appreciate it very much if you could share the updated link.

    Thank you.



    ------------------------------
    Imran Badruddin
    ------------------------------

    Original Message


  • 6.  RE: SSO with Azure AD

    Posted Wed August 05, 2020 10:19 AM

    Hi Chris,

    We currently use LDAP, but will likely need to move to ADFS as we're currently moving the org to Office365. 

    Any tips for implementing SSO via ADFS?



    ------------------------------
    Mischa Fubler
    ------------------------------

    Original Message


  • 7.  RE: SSO with Azure AD

    Posted Thu August 06, 2020 03:47 AM
    Hi there,

    We have successfully implemented Maximo SAML with Azure AD DS

    One of the issues is that Maximo doesn't support SAML with BIRT, so you still need LDAP if you have dedicated BROS JVMs

    Use security domains in WebSphere to enable separate authentication methods per cluster

    Regards

    ------------------------------
    Kevyn Williams
    Cloud Infrastructure Manager
    ------------------------------

    Original Message


  • 8.  RE: SSO with Azure AD

    IBM Champion
    Posted Thu August 06, 2020 09:29 AM
    Hey Chris and Mischa,

    Any tips and or any documentation on SSO implementation. Also can you please share any best practices with these configuration and how the architect components should be align in ability to enable integrations and work centers with SSO.

    I'm more gearing towards SAML, and we have all type of integration channel like XML, webservice, REST, interface tables, Maximo Anywhere, Work centers.

    Any help will be appreciated in order to plan this efforts for successful execution.

    Thanks,
    Sushant

    ------------------------------
    Sushant Chalke
    Sr. Principal Consultant
    The Mosaic Company
    tampa FL
    8133731129
    ------------------------------

    Original Message


  • 9.  RE: SSO with Azure AD

    IBM Champion
    Posted Thu August 06, 2020 10:27 AM
    Hi Sushant,

    I have recently implemented SAML based based for Maximo, Maximo Work Center and Maximo Anywhere 763.
    SAML SSO for Anywhere will be tricky and requires customization of anywhere authentication process. 

    Maximo and Work Center SAML SSO is achievable without much customization ( you might have to write 1 java class).
    Here below is a document for Maximo SAML SSO configuration ( which I have already shared in the same post in my previous response):
    https://salientprocess.zendesk.com/hc/en-us/articles/115006409528-Enabling-SAML-SSO-on-Websphere-8-5-with-a-Shibboleth-IDP

    Work Center SSO can be achieved by following LDAP Configurations suggested in below tech note:
    https://www.ibm.com/support/pages/deploying-maximo-work-centers-ldap-and-non-ldap

    Integration : You would need to setup a MIF cluster/server which will handle the integration of Maximo to external system. I would suggest using Security domains in websphere to setup SSO based UI cluster and Non SSO based MIF clusters.
    Web service URLs would be using MIF cluster based URLs.
    The only tricky part are REST API and Work Center.
    OSLC webapp url system property has to be the SSO URL of UI server as the same will be used by Work Center. Otherwise work center SSO will not work.
    But, the same SSO url cannot be used for REST. The work around for it will be to use  X-public-uri header.
    X-Public-uri header will have url of the MIF server.
    https://developer.ibm.com/static/site-id/155/maximodev/restguide/Maximo_Nextgen_REST_API.html
    Above IBM document has more details on API Keys and X-public-uri for Maximo next-gen Rest API.

    Hopefully this would be helpful!

    ------------------------------
    Biplab Choudhury
    Maximo Consultant
    Tata Consultancy Services
    Melbourne
    ------------------------------

    Original Message


  • 10.  RE: SSO with Azure AD

    Posted Thu August 06, 2020 05:44 PM
    Thanks Sushant,

    How about the user sync? Normally this is done via VMMSYNC o LDAPSYNC crontasks, but from what I've read, this won't be possible using SAML only.
    Do you have any specifics on that approach?

    ------------------------------
    Franklin Orozco
    GBM
    San Jose
    ------------------------------

    Original Message


  • 11.  RE: SSO with Azure AD

    IBM Champion
    Posted Thu August 06, 2020 07:43 PM
    Hi Franklin,

    User Sync  either has to be integrated from external IAM systems( we did this) or you can setup LDAP/AD from a cron cluster to sync user and groups.

    Thanks,
    Biplab

    ------------------------------
    Biplab Choudhury
    Maximo Consultant
    Tata Consultancy Services
    Melbourne
    ------------------------------

    Original Message


  • 12.  RE: SSO with Azure AD

    Posted Tue September 21, 2021 12:55 PM
    Good day Biplab,

    Kindly elaborate on how you got the user sync in Maximo working. Any high level steps for connecting external IAM? How will the LDAPSYNC from cron cluster sync to Azure AD?

    Thanks.

    ------------------------------
    Navroze Hilloo
    ------------------------------

    Original Message


  • 13.  RE: SSO with Azure AD

    Posted Tue September 21, 2021 07:50 PM
    We have recently completed a project with SAML based SSO. You can configure LDAP for Azure AD but it's not available out of the box.  Instead we leveraged MIF to push users into Maximo from AzureAD to align the asserted ID to a Maximo user.

    ------------------------------
    Michael Kasteel
    Director
    ISW
    0402830412
    ------------------------------

    Original Message


  • 14.  RE: SSO with Azure AD

    IBM Champion
    Posted Tue September 21, 2021 09:00 PM
    Hi Navroze Hilloo,

    You can integrate Maxusers, person, maxgroups and groupuser using rest api or mif (michael has confirmed that he has done it using mif). I did using rest api with an IAM system. IAM system had the capabilities of rest api integration.

    LDAP integration using vmmsync cron can be achieved theoretically but I haven't done it. It should be similar to what different project have been following since Maximo 7.1
    This technote below might be helpful to understand that integration:
    https://www.ibm.com/support/pages/maximo-and-ldap-configuration-start-finish

    ------------------------------
    Biplab Choudhury
    Maximo Consultant
    Tata Consultancy Services
    Melbourne
    ------------------------------

    Original Message


  • 15.  RE: SSO with Azure AD

    Posted Wed August 26, 2020 08:27 PM
    Hi Biplab,

    Your above post has been a big help but I'm confused as to what goes in the sso_1.sp.acsUrl property.  If my Maximo URL is "https://example.com:443/maximo", would I set it to "https://example.com:443/samlsps/maximo"?  The note about "multiple, similar entry points for your SAML workflows" in the IBM article about "Enabling your system to use the SAML web single sign-on (SSO) feature" confused me.

    Thanks.

    #AssetandFacilitiesManagement
    #Maximo


  • 16.  RE: SSO with Azure AD

    IBM Champion
    Posted Thu August 27, 2020 01:53 AM
    Hi Julio,

    That is a good question!
    sp.acsUrl  is the URL that will be used by IDP to redirect successful SAML responses. It has to be unique and there is no restriction on URL string. The expected format is 'https://<hostname>:<sslport>/samlsps/<any URI pattern string>' to avoid any unforeseen behavior.
    This is useful when you have multiple ACS installed for multiple Identity providers.
    This is also important in terms of initiated SAML from Service provider( i.e. Maximo).

    Thanks,
    Biplab

    ------------------------------
    Biplab Choudhury
    Maximo Consultant
    Tata Consultancy Services
    Melbourne
    ------------------------------

    Original Message


  • 17.  RE: SSO with Azure AD

    Posted Fri August 28, 2020 04:30 PM
    Thanks for the response.  Just to be clear, are you saying that if my Maximo URL is "example.com:443/maximo", I should set it to "example.com:443/samlsps/*"?

    #Maximo
    #AssetandFacilitiesManagement


  • 18.  RE: SSO with Azure AD

    IBM Champion
    Posted Tue January 19, 2021 01:29 AM
    Hi Biplab / Prashanth.
    1. When we get a certificate directly from Azure Portal instead of extracting via the Port, we are not seeing any IDP host information.
    If that is the case, how can we configure the properties against Sso_idp... related properties. is there any alternative ?
    2. Also how to verify if the SAML service is up and running, when we tested http://host:443/samlsps/sso. The SAML app is installed and its running, but we should bring it up right- shoudl we need a wrapper server (like MXSERVER) to run it ? or just running the application is enough. Right now when i put http://host:443/samlsps/sso there is no indication of the server running. Am i missing anything ? Thanks for your insights and blog.
    Regards,
    Venkat

    ------------------------------
    Venkataraman Guruswamy
    ------------------------------

    Original Message


  • 19.  RE: SSO with Azure AD

    Posted Fri August 28, 2020 04:33 PM
    And I should include "https://" in front of the HostName?

    #AssetandFacilitiesManagement
    #Maximo


  • 20.  RE: SSO with Azure AD

    IBM Champion
    Posted Sat August 29, 2020 01:26 PM
    Hi Julio,

    Yes, you are right! 
    I used as below:
    "https://example.com/samlsps/sso"



    ------------------------------
    Biplab Choudhury
    Maximo Consultant
    Tata Consultancy Services
    Melbourne
    ------------------------------

    Original Message


  • 21.  RE: SSO with Azure AD

    IBM Champion
    Posted Thu September 03, 2020 11:20 AM
    Hi Biplab,

    https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/tsec_enable_saml_sp_sso.html
     com.ibm.ws.wssecurity.saml.common.util.UTC the class used in this sample can be found in the (was_home)/plugins directory - Did you find it which Jar is the one that contains this class file? 

    Also, apart from https://salientprocess.zendesk.com/hc/en-us/articles/115006409528-Enabling-SAML-SSO-on-Websphere-8-5-with-a-Shibboleth-IDP and https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/tsec_enable_saml_sp_sso.html do we need to do any other change as well on WebSphere? Do we need to enable Application Server Security on WAS in Global Security? 

    Please suggest.

    Thanks,
    Prashant


    ------------------------------
    Prashant Sharma
    ------------------------------

    Original Message


  • 22.  RE: SSO with Azure AD

    IBM Champion
    Posted Fri September 04, 2020 04:38 AM
    Hi Prashant,

    UTC date class is good catch. I forgot about it as I ended up not using it.
    Eventually, I used the Java SimpleDateFormat class to convert the date into the right UTC format.

    Websphere security Domain is very important if you are using a clustered environment. I defined a security domain for UI cluster and applied all the SSO changes to that particular Security domain. This enables you to keep using the MIF/CRON servers in the non SSO connections.

    Thanks,
    Biplab

    ------------------------------
    Biplab Choudhury
    Maximo Consultant
    Tata Consultancy Services
    Melbourne
    ------------------------------

    Original Message


  • 23.  RE: SSO with Azure AD

    IBM Champion
    Posted Fri September 18, 2020 06:48 AM
    Hey Biplab,

    During redirection to sso_1.idp_1.SingleSignOnUrl , did you get error - AADSTS750056: SAML message was not properly base64-encoded.

    Please advice, how did you fix it in case you got it.

    Thank You!

    ------------------------------
    Prashant Sharma
    ------------------------------

    Original Message


  • 24.  RE: SSO with Azure AD

    IBM Champion
    Posted Fri September 18, 2020 07:39 AM
    Hi Prashant,

    Replying from mobile.

    The class file which you wrote creates the creates the parameter string which sent to the saml regquest generator.  Use base64 encoder classes to encode that string into base64 format. That should resolve the problem.

    Thanks,
    Biplab



    Original Message


  • 25.  RE: SSO with Azure AD

    IBM Champion
    Posted Mon January 25, 2021 01:01 AM
    Hi PRashath, can you please advise where is the Main method for this AuthRequestProvider interface ? 
    Thanks again

    ------------------------------
    Venkataraman Guruswamy
    ------------------------------

    Original Message


  • 26.  RE: SSO with Azure AD

    Posted Fri August 20, 2021 10:17 AM
    Hi Biplab,

    I have also implemented SSO with Azure AD using SAML. The SSO part is working fine but I am not able to access the web services. I am using clustered environment. so created separate EARs for UI, CRON,RPT and IF. In UI EAR enabled the app server security and disabled it in the rest of the EARs. Also kept the web.xml, application.xml and deployment-application.xml different in all 3 EARs from UI EAR. Also, I tried creating security domains in Websphere as well. but still I am not able to access the webservices. Can you please help me out on this?

    ------------------------------
    Prashant Baweja
    ------------------------------

    Original Message


  • 27.  RE: SSO with Azure AD

    IBM Champion
    Posted Mon August 23, 2021 01:46 AM
    Hi Prashant,

    If you are not able to access web service then my suggestion you try to debug this issue. I can think of the below things which can be done to investigate the issue further:

    1. Ensure that MIF( or which ever jvm you are using for web service) is using a different security profile. This security profile should not have app server security enabled or any property related to sso setup.
    2. Check if you are able to login without sso in the MIF jvms( use jvm urls).
    3. Check the web app url and make sure it is pointing to your mif jvm url ( not web service url). 
    4. If point everything looks good in 1 2 3 then running the jvm trace logs. Trace logs can help you find out the exact issue with the web service.

    Thanks,
    Biplab

    ------------------------------
    Biplab Choudhury
    Maximo Consultant
    Tata Consultancy Services
    Melbourne
    ------------------------------

    Original Message


  • 28.  RE: SSO with Azure AD

    Posted Tue August 24, 2021 11:05 AM
    Hello Prashant,
    I had implemented SSO with Okta and used SAML a while ago and ran into similar issues. The fix was simple though. 
    Please filter the userid that you are using for accessing REST APIs at trust authentication layer in WebSpehere. You should be able to access APIs and other integration.

    ------------------------------
    Kushal Desai
    ------------------------------

    Original Message


  • 29.  RE: SSO with Azure AD

    Posted Tue June 07, 2022 03:42 PM
    Kushal,

    Can you please elaborate Trust authentication layer in Websphere?

    Thanks,
    Chirag Patel

    ------------------------------
    Chirag Patel
    ------------------------------

    Original Message


  • 30.  RE: SSO with Azure AD

    Posted Fri November 04, 2022 11:23 AM
    I could bypass/manage SAML through Security Domain in Websphere. MIF JVM/cluster can be set up to bypass SAML and use native/LDAP security.

    ------------------------------
    Chirag Patel
    ------------------------------

    Original Message