Maximo Open Forum

 View Only
Expand all | Collapse all

Maximo 7.6.1.3 Integration with Microsoft Azure SSO Using SAML Protocol

  • 1.  Maximo 7.6.1.3 Integration with Microsoft Azure SSO Using SAML Protocol

    Posted 05-08-2024 13:53

    hello
    Im in the process of integrating Maximo Asset Management 7.6.1.3 with Microsoft Azure and require assistance to configure Single Sign-On (SSO) using the SAML protocol.

    i would appreciate any guidance on configuring both the WebSphere application and the Microsoft Azure portal to facilitate this integration and thank you.
    anything would help me .


    #EverythingMaximo

    ------------------------------
    souleymen ben sedrine
    arondor
    ------------------------------


  • 2.  RE: Maximo 7.6.1.3 Integration with Microsoft Azure SSO Using SAML Protocol

    Posted 05-22-2024 15:51

    Hi,

    Are you wanting IdP initiated or SP initiated?  I have had IdP initiated working without a custom class for the SAML authentication request provider, but I did not keep a copy of the TAI settings for that - but it is possible if this is the workflow you need.

    For SP initiated, you will need to create a SAML authentication request provider (I have not worked out a way around that).  With that I can share the setup steps and settings we have configured.  You can do some setup, send your Azure team a metadata file and they build the Azure Enterprise Application (ruleset their side) and then send you a metadata file to complete the setup in WebSphere.  We are doing it manually as it makes more sense in our situation.

    Thanks,

    Cameron



    ------------------------------
    Cameron
    ------------------------------



  • 3.  RE: Maximo 7.6.1.3 Integration with Microsoft Azure SSO Using SAML Protocol

    Posted 05-22-2024 15:51
    Edited by Christopher Winston 05-22-2024 16:33

    Hi Cameron,

    Thank you for your response.

    I'm working on an IdP-initiated setup. Here are the steps I followed during my configuration:

    1. Installed and Configured WebSphere and Maximo 7.6.1.3:

      • Followed the instructions in the Maximo SAML Configuration Documentation.
    2. Installed the SAML (ACS) and Enabled SAML TAI:

      • Followed the detailed steps in the WebSphere SAML SSO Feature Documentation.
    3. Modified the web.xml Files:

      • Attached the modified web.xml files with their paths as names.
    4. Configured Properties in the Interceptor:

      • Configured the properties in the interceptor, as shown in the attached screenshots.
    5. Exported and Uploaded Metadata Files:

      • Exported the metadata file from WebSphere and uploaded it to Azure Entra.
      • Exported the metadata file from Azure and uploaded it to WebSphere, following the documentation instructions.

    I'll attach screenshots of my configuration so you can see exactly what I have done.
    Could you please help me with the correct steps and configuration? Your assistance would be greatly appreciated.
    thank you.



    ------------------------------
    souleymen ben sedrine
    arondor
    ------------------------------



  • 4.  RE: Maximo 7.6.1.3 Integration with Microsoft Azure SSO Using SAML Protocol

    Posted 05-27-2024 16:34

    Hi,

    Sorry for the delay.  My experience with Azure is you need a custom SAML Authentication Request Provider, I have not been successful with just the steps that are covered by the good document Jan has nicely provided.  This is detailed on this IBM link Enabling SAML SP-Initiated web single sign-on (SSO) - IBM Documentation.

    Azure - you need the Identifier (Entity ID), Reply URL (Assertion Consumer Service URL), and the Sign On URL configured.  Your screenshot section 1 only has the first two configured. Whilst your URLS look to be internal URLs, that should still work.  The Sign On URL would be something like https://192.168.1.12:40800/maximo based on your screenshot - the URL to access Maximo.

    Section 2 on the Azure SAML setup you have used user.userprincipalname for the Name ID - this means in Maximo your login IDs will need to be Azure UPNs - the login user names that look like email addresses which is good as that is what you log into Azure with.

    You need (not technically, but advisable) the SAML certificate of the Azure enterprise app (section three on your screenshot - the base64 version.  You need the Login URL and Microsoft Entra Identifier details which should be #4 on that same Azure screen in your screenshot.

    I cannot give you our custom SAML Authentication Request Provider jar file - I will see if I can make a generic one, but still this is something you should compile yourself since it is security related after all.  You install this by copying the jar file to ...\IBM\WebSphere\AppServer\lib\ext on each of the WebSphere servers (if you have multiple in a cluster).

    You install the Certificate into WebSphere - remembering the Alias.  And as in Jan's document, you install the SAML Assertion Consumer Service (ACS) - remembering to set the custom properties com.ibm.websphere.security.DeferTAItoSSO and com.ibm.websphere.security.InvokeTAIbeforeSSO both to com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.

    Trust association setting wise:

    sso_1.sp.acsUrl - the same as you set Azure Sign on URL and as you have used

    sso_1.sp.EntityID - using the same as sso_1.sp.acsUrl is simple and as you have set up in Azure

    sso_1.sp.login.error.page - this is the java class file name of your custom SAML Authentication Request Provider that you need to compile

    sso_1.sp.targetUrl - this is the url to go to after sign in, typically the start center for Maximo so guessing something like https://192.168.1.12:40800/maximo/ui/?event=loadapp&value=startcntr based on the url in your screenshot

    sso_1.idp_1.SingleSignOnUrl - the log in url from Azure

    sso_1.idp_1.EntityID - The Entra Identifier ID from Azure

    sso_1.idp_1.certAlias - The alias of the SSL cert you installed in WebSphere from Azure

    sso_1.sp.filter - Not needed, but can be used if you want to bypass the redirect

    sso_1.sp.idMap - idAssertion

    sso_1.sp.groupMap - localRealm

    sso_1.sp.trustStore - CellDefaultTrustStore (I am assuming this is where you will install the SSL Cert)

    sso_1.sp.keyStore - CellDefaultKeyStore (again based on where I expect you would install the cert)

    sso_1.sp.useRealm - defaultWIMFileBasedRealm (probably the value you are after if you have not got a custom setup in WebSphere)

    There are other settings you could use like sso_1.sp.enforceTaiCookie set to false if you were using the filter setting to have a bypass to Maximo login's login form url to enable bypassing SSO and manually signing in - you need LDAP repository set up in WebSphere for that.

    I will look to create a sanitised set of instructions at some point, but hope the above helps in the mean time.

    Cameron.



    ------------------------------
    Cameron
    ------------------------------



  • 5.  RE: Maximo 7.6.1.3 Integration with Microsoft Azure SSO Using SAML Protocol

    Posted 05-28-2024 09:25

    Hi,

    Thank you for your replies. I have found the solution to my problem. It was a crucial configuration in the maximo.properties file that needed to be done. After that, I started receiving logs from Maximo and fixed most of the problems. It works now.



    ------------------------------
    souleymen ben sedrine
    arondor
    ------------------------------



  • 6.  RE: Maximo 7.6.1.3 Integration with Microsoft Azure SSO Using SAML Protocol

    Posted 05-23-2024 09:08
      |   view attached

    Hello, please check the attached file. This is from my "how to" archive :)

    I'm not the author and I'm not sure if it's still available online anywhere, but I used it to setup SAML against MS Azure.



    ------------------------------
    Jan Ondrušek
    ------------------------------

    Attachment(s)



  • 7.  RE: Maximo 7.6.1.3 Integration with Microsoft Azure SSO Using SAML Protocol

    Posted 05-23-2024 21:47

    Thank you for your reply, Jan.

    I've followed the documentation you sent me, but I still encounter an issue when testing with Azure Entra. When I test, I get this page.

    Do I need to add a user in Maximo that has the same username as the account in my Azure Entra, or is there any configuration I have to do in Azure? Thank you.



    ------------------------------
    souleymen ben sedrine
    arondor
    ------------------------------



  • 8.  RE: Maximo 7.6.1.3 Integration with Microsoft Azure SSO Using SAML Protocol

    Posted 05-29-2024 01:44
    Edited by Jan Ondrušek 05-29-2024 01:44

    Hello, sorry for the late reply. I go through the above comments and see that you have already solved it :)

    You mentioned the maximo.properties, I guess it was about mxe.useSAML and mxe.AppServer Security properties, right?

    For example this is setup for ICD7.6.1 but it's the same for Maximo: https://www.ibm.com/docs/en/control-desk/7.6.1.x?topic=security-configuring-assertion-markup-language-saml



    ------------------------------
    Jan Ondrušek
    ------------------------------



  • 9.  RE: Maximo 7.6.1.3 Integration with Microsoft Azure SSO Using SAML Protocol

    Posted 05-29-2024 17:49

    hello , thank for you replies
    also you need to include these properties in the maximo.properties.xml 

    mxe.saml.enabled

    mxe.saml.idpMetadataFile

    mxe.saml.sp.acsUrl

    mxe.saml.sp.EntityID

    mxe.saml.sp.targetUrl

    mxe.saml.sp.idMap

    mxe.saml.sp.principalName

    mxe.saml.userMapping

    mxe.saml.issuer

    these properties are needed for maximo and you can add other propterties depending on the configuration you need .



    ------------------------------
    souleymen ben sedrine
    arondor
    ------------------------------



  • 10.  RE: Maximo 7.6.1.3 Integration with Microsoft Azure SSO Using SAML Protocol

    Posted 09-03-2024 01:54

    Hello souleymen,

    Where to obtain the values for the parameters below:

    mxe.saml.sp.principalName

    mxe.saml.userMapping

    mxe.saml.issuer



    ------------------------------
    Imran Badruddin
    ICSB
    ------------------------------