We are using Maximo 7.6.1.3 with Maximo Mobile for EAM 9.0.
SSO with Azure AD is enabled on Maximo 7.6.1.3 and works fine in the browser.

When we log into the Maximo Mobile for EAM app using the same URL, users are redirected to the Microsoft authentication page as expected. However, if a user logs out of the Mobile app and then logs in again, they are always taken back to the Microsoft authentication page and must re-authenticate.

In contrast, when logging into Maximo via a browser: if the user logs out and then logs in again, they are not prompted to re-authenticate with Azure AD (since the browser session persists).

My questions:

• Why is there a difference in behavior between the browser and the Maximo Mobile app?

• Is there a way to configure the Maximo Mobile app to reuse the Azure AD session (similar to the browser) so users don't need to re-enter their credentials every time after logout?

• Or is this the expected design for security reasons?

Any guidance or experience would be appreciated.

#Mobile #SSO

We are using Maximo 7.6.1.3 with Maximo Mobile for EAM 9.0.
SSO with Azure AD is enabled on Maximo 7.6.1.3 and works fine in the browser.

When we log into the Maximo Mobile for EAM app using the same URL, users are redirected to the Microsoft authentication page as expected. However, if a user logs out of the Mobile app and then logs in again, they are always taken back to the Microsoft authentication page and must re-authenticate.

In contrast, when logging into Maximo via a browser: if the user logs out and then logs in again, they are not prompted to re-authenticate with Azure AD (since the browser session persists).

My questions:

• Why is there a difference in behavior between the browser and the Maximo Mobile app?

• Is there a way to configure the Maximo Mobile app to reuse the Azure AD session (similar to the browser) so users don't need to re-enter their credentials every time after logout?

• Or is this the expected design for security reasons?

Any guidance or experience would be appreciated.

#Mobile #SSO

@Steven Shull - Hi Steven, are you able to share some insights on this? Thanks.

We are using Maximo 7.6.1.3 with Maximo Mobile for EAM 9.0.
SSO with Azure AD is enabled on Maximo 7.6.1.3 and works fine in the browser.

When we log into the Maximo Mobile for EAM app using the same URL, users are redirected to the Microsoft authentication page as expected. However, if a user logs out of the Mobile app and then logs in again, they are always taken back to the Microsoft authentication page and must re-authenticate.

In contrast, when logging into Maximo via a browser: if the user logs out and then logs in again, they are not prompted to re-authenticate with Azure AD (since the browser session persists).

My questions:

• Why is there a difference in behavior between the browser and the Maximo Mobile app?

• Is there a way to configure the Maximo Mobile app to reuse the Azure AD session (similar to the browser) so users don't need to re-enter their credentials every time after logout?

• Or is this the expected design for security reasons?

Any guidance or experience would be appreciated.

#Mobile #SSO

This is expected. Maximo Mobile deletes the cookies when a user logs out because it's quite common for mobile devices to be shared across multiple users. Without this removal of cookies, you could run into situations where "Bob" could authenticate as "Larry". 

In MAS, there is a SP initiated logout feature where even in desktop, if you logout it can invalidate your SSO session. This was added for similar reasons to ensure that users that have shared workstations would not re-use a previous user's session. 

@Steven Shull - Hi Steven, are you able to share some insights on this? Thanks.

We are using Maximo 7.6.1.3 with Maximo Mobile for EAM 9.0.
SSO with Azure AD is enabled on Maximo 7.6.1.3 and works fine in the browser.

When we log into the Maximo Mobile for EAM app using the same URL, users are redirected to the Microsoft authentication page as expected. However, if a user logs out of the Mobile app and then logs in again, they are always taken back to the Microsoft authentication page and must re-authenticate.

In contrast, when logging into Maximo via a browser: if the user logs out and then logs in again, they are not prompted to re-authenticate with Azure AD (since the browser session persists).

My questions:

• Why is there a difference in behavior between the browser and the Maximo Mobile app?

• Is there a way to configure the Maximo Mobile app to reuse the Azure AD session (similar to the browser) so users don't need to re-enter their credentials every time after logout?

• Or is this the expected design for security reasons?

Any guidance or experience would be appreciated.

#Mobile #SSO

Thanks Steve. What's the best practice then? It's very inconvenient for the user to enter the credentials again and again. They are comparing the app with other apps that we use in daily life such as banking apps where facial recognition is enough to login to the app. How can we improve the user experience instead of getting them annoyed? It's probalby a question for IBM.

This is expected. Maximo Mobile deletes the cookies when a user logs out because it's quite common for mobile devices to be shared across multiple users. Without this removal of cookies, you could run into situations where "Bob" could authenticate as "Larry". 

In MAS, there is a SP initiated logout feature where even in desktop, if you logout it can invalidate your SSO session. This was added for similar reasons to ensure that users that have shared workstations would not re-use a previous user's session. 

@Steven Shull - Hi Steven, are you able to share some insights on this? Thanks.

We are using Maximo 7.6.1.3 with Maximo Mobile for EAM 9.0.
SSO with Azure AD is enabled on Maximo 7.6.1.3 and works fine in the browser.

When we log into the Maximo Mobile for EAM app using the same URL, users are redirected to the Microsoft authentication page as expected. However, if a user logs out of the Mobile app and then logs in again, they are always taken back to the Microsoft authentication page and must re-authenticate.

In contrast, when logging into Maximo via a browser: if the user logs out and then logs in again, they are not prompted to re-authenticate with Azure AD (since the browser session persists).

My questions:

• Why is there a difference in behavior between the browser and the Maximo Mobile app?

• Is there a way to configure the Maximo Mobile app to reuse the Azure AD session (similar to the browser) so users don't need to re-enter their credentials every time after logout?

• Or is this the expected design for security reasons?

Any guidance or experience would be appreciated.

#Mobile #SSO

Something you could look at is trying to use your web browser for the authentication piece. If you're deploying via MDM, you can have the authentication open in the external browser rather than the in-app browser. Setting the URL of the Maximo Application Suite server in the Maximo Mobile application - IBM Documentation

Since Maximo Mobile can't delete cookies for the web browser (it can only manage its own cookies inside the app), you likely wouldn't have the same issue. This wasn't always possible in EAM but was added as part of 9.0 I believe (it's definitely available in 9.0, just can't remember if it was 8.11 or 9.0).


Beyond that, there's not really a good option they can implement. Certainly, feel free to open an idea, I'm just not sure how it could be done without introducing security problems.

Banking apps work because they control your credentials and are really only used on dedicated devices. Most customers utilizing Maximo utilize SAML like yourself and often on shared devices. The only way they could handle that is enabling a bypass mechanism where they would skip the identity provider. There are a whole series of controls in SAML authentication flows including conditional access policies (only allow authentication if the device is trusted for example, on specific networks, etc.), two factor authentication, etc. that customers would not want the application to bypass.  

Or you keep the cookies but then run the risk on a shared device that requests are authenticated as the incorrect user. 

Thanks Steve. What's the best practice then? It's very inconvenient for the user to enter the credentials again and again. They are comparing the app with other apps that we use in daily life such as banking apps where facial recognition is enough to login to the app. How can we improve the user experience instead of getting them annoyed? It's probalby a question for IBM.

This is expected. Maximo Mobile deletes the cookies when a user logs out because it's quite common for mobile devices to be shared across multiple users. Without this removal of cookies, you could run into situations where "Bob" could authenticate as "Larry". 

In MAS, there is a SP initiated logout feature where even in desktop, if you logout it can invalidate your SSO session. This was added for similar reasons to ensure that users that have shared workstations would not re-use a previous user's session. 

@Steven Shull - Hi Steven, are you able to share some insights on this? Thanks.

We are using Maximo 7.6.1.3 with Maximo Mobile for EAM 9.0.
SSO with Azure AD is enabled on Maximo 7.6.1.3 and works fine in the browser.

When we log into the Maximo Mobile for EAM app using the same URL, users are redirected to the Microsoft authentication page as expected. However, if a user logs out of the Mobile app and then logs in again, they are always taken back to the Microsoft authentication page and must re-authenticate.

In contrast, when logging into Maximo via a browser: if the user logs out and then logs in again, they are not prompted to re-authenticate with Azure AD (since the browser session persists).

My questions:

• Why is there a difference in behavior between the browser and the Maximo Mobile app?

• Is there a way to configure the Maximo Mobile app to reuse the Azure AD session (similar to the browser) so users don't need to re-enter their credentials every time after logout?

• Or is this the expected design for security reasons?

Any guidance or experience would be appreciated.

#Mobile #SSO

We are using Maximo 7.6.1.3 with Maximo Mobile for EAM 9.0.
SSO with Azure AD is enabled on Maximo 7.6.1.3 and works fine in the browser.

When we log into the Maximo Mobile for EAM app using the same URL, users are redirected to the Microsoft authentication page as expected. However, if a user logs out of the Mobile app and then logs in again, they are always taken back to the Microsoft authentication page and must re-authenticate.

In contrast, when logging into Maximo via a browser: if the user logs out and then logs in again, they are not prompted to re-authenticate with Azure AD (since the browser session persists).

My questions:

• Why is there a difference in behavior between the browser and the Maximo Mobile app?

• Is there a way to configure the Maximo Mobile app to reuse the Azure AD session (similar to the browser) so users don't need to re-enter their credentials every time after logout?

• Or is this the expected design for security reasons?

Any guidance or experience would be appreciated.

#Mobile #SSO

Hi @Sourabh Jain, We are facing issues with similar SSO setup using Maximo 7.6.1.3 and Mobile 9.0.

We wanted to verify the Azure settings and websphere interceptor settings as we are facing issue like getting white blank screen. 

Could you please share us the inputs to cross check the settings with respect to the error mentioned.

Thanks

We are using Maximo 7.6.1.3 with Maximo Mobile for EAM 9.0.
SSO with Azure AD is enabled on Maximo 7.6.1.3 and works fine in the browser.

When we log into the Maximo Mobile for EAM app using the same URL, users are redirected to the Microsoft authentication page as expected. However, if a user logs out of the Mobile app and then logs in again, they are always taken back to the Microsoft authentication page and must re-authenticate.

In contrast, when logging into Maximo via a browser: if the user logs out and then logs in again, they are not prompted to re-authenticate with Azure AD (since the browser session persists).

My questions:

• Why is there a difference in behavior between the browser and the Maximo Mobile app?

• Is there a way to configure the Maximo Mobile app to reuse the Azure AD session (similar to the browser) so users don't need to re-enter their credentials every time after logout?

• Or is this the expected design for security reasons?

Any guidance or experience would be appreciated.

#Mobile #SSO