Maximo

Hi Team,

Our client requires us to implement MFA on Maximo. Based on the client requirements, we are discussing integrating MAS-Manage with Azure AD B2C using SAML.
However, in this case, as far as we know, user synchronization is not supported so our client needs to register an user information with both an Azure AD B2C and MAS-Core, which we suppose is inefficient.

Has anybody know the effective solution in terms of user synchronization?
Is there any chance using Azure AD Domain Services could be one of the solution?

We would appreciate it if you could tell me any solutions or any tips.

------------------------------
Masahiro Kuroe
------------------------------

------------------------------
Masahiro Kuroe
------------------------------

#AssetandFacilitiesManagement
#Maximo

Hi Masahiro,

I know LDAP user sync cron task works with 7612 but not sure if the same is true for MAS8 as it has a different module for User data.

I think MAS8 supports User synchronisation using rest api so you can use that to sync users into MAS.
We used Maximo REST API for user and groups synchronisation in Maximo 761.

Thanks,

------------------------------
Biplab Choudhury
IBM Champion 2022
Senior Consultant
BPD Zenith
Melbourne
------------------------------

Original Message:
Sent: Tue September 13, 2022 10:53 PM
From: Masahiro Kuroe
Subject: User synchronization with Azure AD B2C

Hi Team,

Our client requires us to implement MFA on Maximo. Based on the client requirements, we are discussing integrating MAS-Manage with Azure AD B2C using SAML.
However, in this case, as far as we know, user synchronization is not supported so our client needs to register an user information with both an Azure AD B2C and MAS-Core, which we suppose is inefficient.

Has anybody know the effective solution in terms of user synchronization?
Is there any chance using Azure AD Domain Services could be one of the solution?

We would appreciate it if you could tell me any solutions or any tips.

------------------------------
Masahiro Kuroe
------------------------------

------------------------------
Masahiro Kuroe
------------------------------

#AssetandFacilitiesManagement
#Maximo

Hi Biplab,

Thanks for the quick response.
If possible, would you share the procedures or documentation on how to utilize Maximo REST API for user and groups synchronisation in Maximo 761?

------------------------------
Masahiro Kuroe
------------------------------

------------------------------
Masahiro Kuroe
------------------------------

Original Message:
Sent: Thu September 15, 2022 01:30 AM
From: Biplab Choudhury
Subject: User synchronization with Azure AD B2C

Hi Masahiro,

I know LDAP user sync cron task works with 7612 but not sure if the same is true for MAS8 as it has a different module for User data.

I think MAS8 supports User synchronisation using rest api so you can use that to sync users into MAS.
We used Maximo REST API for user and groups synchronisation in Maximo 761.

Thanks,

------------------------------
Biplab Choudhury
IBM Champion 2022
Senior Consultant
BPD Zenith
Melbourne

Original Message:
Sent: Tue September 13, 2022 10:53 PM
From: Masahiro Kuroe
Subject: User synchronization with Azure AD B2C

Hi Team,

Our client requires us to implement MFA on Maximo. Based on the client requirements, we are discussing integrating MAS-Manage with Azure AD B2C using SAML.
However, in this case, as far as we know, user synchronization is not supported so our client needs to register an user information with both an Azure AD B2C and MAS-Core, which we suppose is inefficient.

Has anybody know the effective solution in terms of user synchronization?
Is there any chance using Azure AD Domain Services could be one of the solution?

We would appreciate it if you could tell me any solutions or any tips.

------------------------------
Masahiro Kuroe
------------------------------

------------------------------
Masahiro Kuroe
------------------------------

#AssetandFacilitiesManagement
#Maximo

As Biplab mentions, we support a LDAP synchronization process in MAS (though it is different than 7.6.1.X as we no longer use the cron task inside of Manage). Since you specifically mentioned a B2C scenario where these users are not part of your AD, I'm not sure if the Azure AD services for enabling Azure AD to support LDAP would work. I assume B2C users are more of a JIT provisioning so a scheduled job to synchronize users wouldn't work well either. 

For MAS, we're planning to support SCIM (https://ibm-ai-apps.ideas.ibm.com/ideas/MSS1-I-27) which is an industry standard for provisioning users. Looking at the Azure AD documentation, it looks like B2B scenarios would be supported but B2C would not be (https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/isv-automatic-provisioning-multi-tenant-apps). 

We also have approved an idea (https://ibm-ai-apps.ideas.ibm.com/ideas/MSS1-I-48) that isn't clear to me exactly what we're planning to implement. I assume this is to support a JIT provisioning scenario (basically provision the users as they attempt to login) but it doesn't specifically state that. 

These won't be added until MAS 8.9 or later (we don't backport new features to existing versions of the product) so if you need something sooner you may have to write your own integration with the MS Graph API. Bulk API support for user management in MAS doesn't exist in the current version (it is being added) so you may find it easiest to integrate the users into Manage and then utilize the MASUSERSYNC cron task to push the users from Manage into MAS. This was only really intended for the initial sync after the upgrade but I know a few customers who are currently using it in the interim until we get the bulk API in the next release.

------------------------------
Steven Shull
------------------------------

Original Message:
Sent: Tue September 13, 2022 10:53 PM
From: Masahiro Kuroe
Subject: User synchronization with Azure AD B2C

Hi Team,

Our client requires us to implement MFA on Maximo. Based on the client requirements, we are discussing integrating MAS-Manage with Azure AD B2C using SAML.
However, in this case, as far as we know, user synchronization is not supported so our client needs to register an user information with both an Azure AD B2C and MAS-Core, which we suppose is inefficient.

Has anybody know the effective solution in terms of user synchronization?
Is there any chance using Azure AD Domain Services could be one of the solution?

We would appreciate it if you could tell me any solutions or any tips.

------------------------------
Masahiro Kuroe
------------------------------

------------------------------
Masahiro Kuroe
------------------------------

#Maximo
#AssetandFacilitiesManagement

Hi Steven,

Thanks for the quick response.

------------------------------
Masahiro Kuroe
------------------------------

Original Message:
Sent: Thu September 15, 2022 09:06 AM
From: Steven Shull
Subject: User synchronization with Azure AD B2C

As Biplab mentions, we support a LDAP synchronization process in MAS (though it is different than 7.6.1.X as we no longer use the cron task inside of Manage). Since you specifically mentioned a B2C scenario where these users are not part of your AD, I'm not sure if the Azure AD services for enabling Azure AD to support LDAP would work. I assume B2C users are more of a JIT provisioning so a scheduled job to synchronize users wouldn't work well either. 

For MAS, we're planning to support SCIM (https://ibm-ai-apps.ideas.ibm.com/ideas/MSS1-I-27) which is an industry standard for provisioning users. Looking at the Azure AD documentation, it looks like B2B scenarios would be supported but B2C would not be (https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/isv-automatic-provisioning-multi-tenant-apps). 

We also have approved an idea (https://ibm-ai-apps.ideas.ibm.com/ideas/MSS1-I-48) that isn't clear to me exactly what we're planning to implement. I assume this is to support a JIT provisioning scenario (basically provision the users as they attempt to login) but it doesn't specifically state that. 

These won't be added until MAS 8.9 or later (we don't backport new features to existing versions of the product) so if you need something sooner you may have to write your own integration with the MS Graph API. Bulk API support for user management in MAS doesn't exist in the current version (it is being added) so you may find it easiest to integrate the users into Manage and then utilize the MASUSERSYNC cron task to push the users from Manage into MAS. This was only really intended for the initial sync after the upgrade but I know a few customers who are currently using it in the interim until we get the bulk API in the next release.

------------------------------
Steven Shull

Original Message:
Sent: Tue September 13, 2022 10:53 PM
From: Masahiro Kuroe
Subject: User synchronization with Azure AD B2C

Hi Team,

Our client requires us to implement MFA on Maximo. Based on the client requirements, we are discussing integrating MAS-Manage with Azure AD B2C using SAML.
However, in this case, as far as we know, user synchronization is not supported so our client needs to register an user information with both an Azure AD B2C and MAS-Core, which we suppose is inefficient.

Has anybody know the effective solution in terms of user synchronization?
Is there any chance using Azure AD Domain Services could be one of the solution?

We would appreciate it if you could tell me any solutions or any tips.

------------------------------
Masahiro Kuroe
------------------------------

------------------------------
Masahiro Kuroe
------------------------------

#Maximo
#AssetandFacilitiesManagement