Maximo Open Forum

 View Only
  • 1.  Maximo API Key - REST/OSLC API Authentication with IdP via SAML

    Posted 04-12-2021 00:06

    Maximo 7.6.0.9 provides the capability to integrate Maximo with Identity Providers (IdP) like Azure AD, Open Connect etc., using SAML. Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP).

    As this integration worked properly on IBM MAXIMO UI application, Browser less connection for Maximo REST, OSLC APIs was not supported and needed direct local active directory connection. Maximo has added this feature of API Key from Maximo 7.6.0.9 which can be used to overcome the unseen limitation. In the earlier versions of Maximo, creation of API for specific user and management of the key was not user friendly and it needed MAXAUTH to be passed to generate the API Key from REST/OSLC API call. With Maximo 7.6.1.2, API Key feature has been improved and now administrators can generate the API keys for users from Maximo UI and revoke them on the go.

    Once users have integrated Maximo with SAML authentication, users can go to the Work Center application and can assign the API keys from the Administration Work Center.

    We have mentioned the steps in details below on how API Keys can be created and used for REST/OSLC APIs -

    1.To create API key, administrators should go to Administration Work Center > Integration.



    2. Click on the API Keys and click on the Add API Keys button-



    Search for user for which API Key needs to be generated and click on the Add button.



    This will generate API Key for the user and the key will be visible on the work center. In the future, if the administrator wants to revoke the access of the user, then the key can be deleted by pressing the Delete button on the same card.



    5. Now this API Key can be used with REST/OSLC APIs.

    While using the API Key, there is no need to pass MAXAUTH for Non-LDAP (Native Authentication) or User Credentials with BASIC Auth for LDAP enabled Maximo Instance.



    6. APIKEY will be passed in Params for API and which will provide the API output after authentication from Maximo.





    EAM360 uses API Keys for authenticating REST/OSLC APIs for SAML Authentication enabled Maximo environments.

    Thanks,

    Prashant Sharma


    #Administration
    #Integrations
    #Mobility
    #WorkCenters
    #EverythingMaximo

    ------------------------------
    Prashant Sharma
    EAM360
    ------------------------------


  • 2.  RE: Maximo API Key - REST/OSLC API Authentication with IdP via SAML

    Posted 04-12-2021 09:45
    Hi Prashant, thanks for the documentation.

    I have a question for Step 5. Is the maximo host URL a SAML URL or a separate URL which connects over LDAP connection?
    For a SAML Maximo environment, authentication will be done using SAML protocol using the Maximo SAML host URL, once the authentication is successful, to utilize API Key with OSCL object, can we use the same SAML host URL?

    Thanks in advance.

    Ronak Agrawal
    Arora Technology Group

    ------------------------------
    Ronak Agrawal
    Arora Technology Group
    ------------------------------



  • 3.  RE: Maximo API Key - REST/OSLC API Authentication with IdP via SAML

    Posted 04-12-2021 10:06
    For API keys to work with SAML/LDAP, you need to use /maximo/api instead of /maximo/oslc which requires being on 7.6.1.1 or higher or modifying the web.xml to add it in. This functions the same as /maximo/oslc, but SAML/LDAP depend on application server security which takes over protecting the route from the application and would prevent the API key from being able to be utilized.

    ------------------------------
    Steven Shull
    Projetech Inc.
    ------------------------------



  • 4.  RE: Maximo API Key - REST/OSLC API Authentication with IdP via SAML

    Posted 04-13-2021 12:37
    Hello,

    We are also extensively using the APIKey in all our integrations. I however always concerned about the security of this transmission. The APIKey is clearly visible in the HTTP Get/Post requests (as a part of the URL itself). It can easily be intercepted by any HTTP traffic inspector tool. 

    Pankaj

    ------------------------------
    Pankaj Bhide
    Berkeley National Laboratory
    ------------------------------



  • 5.  RE: Maximo API Key - REST/OSLC API Authentication with IdP via SAML

    Posted 04-13-2021 12:58
    Yeah I would not recommend using query parameters (IE putting it in the URL) because they're often logged by load balances, webservers, etc. You can also provide it as a header on your request which makes it less likely to be logged. It's sort of a security improvement, but if you're making it client side for example a user can still see any headers provided on your request. You're just minimizing the likelihood of it being logged.

    ------------------------------
    Steven Shull
    Projetech Inc.
    ------------------------------



  • 6.  RE: Maximo API Key - REST/OSLC API Authentication with IdP via SAML

    Posted 09-21-2022 20:09
    HI Steven,

    It doesn't sound like API Keys are a very secure way to authenticate a calling transaction. Has anything changed with API Keys since your last post?  

    Thanks.

    ------------------------------
    Julio Hernandez
    Ergonare, Inc.
    ------------------------------



  • 7.  RE: Maximo API Key - REST/OSLC API Authentication with IdP via SAML

    Posted 09-22-2022 11:49

    I'm not understanding your exact concern to know how to answer. Whether you're using a username and password or API key the client side security aspect is the same. There is no way (in any application) to secure something from a user on the client side (IE HTTP or JavaScript requests). Open Developer Tools in your web browser on any application (office 365, box, etc.) and you can see the exact requests including the username/password, cookies, etc. that give you access to utilize their APIs. At best you can obscure the information but even then that's typically pointless.

    You need to do the action on the server side if you don't want them to be able to see the API key. For example, if you have a SR submission website that anyone in your organization uses and that interacts with Maximo, don't have the interaction occur with Maximo on the client side but the server side. Otherwise they would be able to see the API key utilized to authenticate the requests. 


    In 7.6.1.2 we did enhance the security of the API key in a variety of ways based on feedback I had provided (when I was at a Business Partner) and other customers. mxe.secureapikey system property was added to encrypt the API key for storage in the database and is enabled by default. mxe.apikeysysusers allows you to specify a list of users that you cannot create an API key for (unless it was done with their username/password). This allows you to prevent someone with the ability to create an API key for creating an API key for an admin account (like maxadmin/mxintadm). mxe.apikeyforloggedinuser takes it a step further and only allows you to create an API key for yourself. If you don't want anyone to be able to create API keys for other users, this will help prevent that. 



    ------------------------------
    Steven Shull
    IBM
    ------------------------------



  • 8.  RE: Maximo API Key - REST/OSLC API Authentication with IdP via SAML

    Posted 09-23-2022 12:54
    Steven,

    I misunderstood your previous post.  When you said "a user can still see any headers provided on your request", I missed the distinction between client-side and server-side.

    Thank you.

    ------------------------------
    Julio Hernandez
    Ergonare, Inc.
    ------------------------------