Thank you for your replies. I have found the solution to my problem. It was a crucial configuration in the maximo.properties file that needed to be done. After that, I started receiving logs from Maximo and fixed most of the problems. It works now.
Original Message:
Sent: 05-27-2024 16:33
From: Cameron Simpson
Subject: Maximo 7.6.1.3 Integration with Microsoft Azure SSO Using SAML Protocol
Hi,
Sorry for the delay. My experience with Azure is you need a custom SAML Authentication Request Provider, I have not been successful with just the steps that are covered by the good document Jan has nicely provided. This is detailed on this IBM link Enabling SAML SP-Initiated web single sign-on (SSO) - IBM Documentation.
Azure - you need the Identifier (Entity ID), Reply URL (Assertion Consumer Service URL), and the Sign On URL configured. Your screenshot section 1 only has the first two configured. Whilst your URLS look to be internal URLs, that should still work. The Sign On URL would be something like https://192.168.1.12:40800/maximo based on your screenshot - the URL to access Maximo.
Section 2 on the Azure SAML setup you have used user.userprincipalname for the Name ID - this means in Maximo your login IDs will need to be Azure UPNs - the login user names that look like email addresses which is good as that is what you log into Azure with.
You need (not technically, but advisable) the SAML certificate of the Azure enterprise app (section three on your screenshot - the base64 version. You need the Login URL and Microsoft Entra Identifier details which should be #4 on that same Azure screen in your screenshot.
I cannot give you our custom SAML Authentication Request Provider jar file - I will see if I can make a generic one, but still this is something you should compile yourself since it is security related after all. You install this by copying the jar file to ...\IBM\WebSphere\AppServer\lib\ext on each of the WebSphere servers (if you have multiple in a cluster).
You install the Certificate into WebSphere - remembering the Alias. And as in Jan's document, you install the SAML Assertion Consumer Service (ACS) - remembering to set the custom properties com.ibm.websphere.security.DeferTAItoSSO and com.ibm.websphere.security.InvokeTAIbeforeSSO both to com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.
Trust association setting wise:
sso_1.sp.acsUrl - the same as you set Azure Sign on URL and as you have used
sso_1.sp.EntityID - using the same as sso_1.sp.acsUrl is simple and as you have set up in Azure
sso_1.sp.login.error.page - this is the java class file name of your custom SAML Authentication Request Provider that you need to compile
sso_1.sp.targetUrl - this is the url to go to after sign in, typically the start center for Maximo so guessing something like https://192.168.1.12:40800/maximo/ui/?event=loadapp&value=startcntr based on the url in your screenshot
sso_1.idp_1.SingleSignOnUrl - the log in url from Azure
sso_1.idp_1.EntityID - The Entra Identifier ID from Azure
sso_1.idp_1.certAlias - The alias of the SSL cert you installed in WebSphere from Azure
sso_1.sp.filter - Not needed, but can be used if you want to bypass the redirect
sso_1.sp.idMap - idAssertion
sso_1.sp.groupMap - localRealm
sso_1.sp.trustStore - CellDefaultTrustStore (I am assuming this is where you will install the SSL Cert)
sso_1.sp.keyStore - CellDefaultKeyStore (again based on where I expect you would install the cert)
sso_1.sp.useRealm - defaultWIMFileBasedRealm (probably the value you are after if you have not got a custom setup in WebSphere)
There are other settings you could use like sso_1.sp.enforceTaiCookie set to false if you were using the filter setting to have a bypass to Maximo login's login form url to enable bypassing SSO and manually signing in - you need LDAP repository set up in WebSphere for that.
I will look to create a sanitised set of instructions at some point, but hope the above helps in the mean time.
Cameron.
------------------------------
Cameron
Original Message:
Sent: 05-22-2024 15:45
From: souleymen ben sedrine
Subject: Maximo 7.6.1.3 Integration with Microsoft Azure SSO Using SAML Protocol
Hi Cameron,
Thank you for your response.
I'm working on an IdP-initiated setup. Here are the steps I followed during my configuration:
Installed and Configured WebSphere and Maximo 7.6.1.3:
- Followed the instructions in the Maximo SAML Configuration Documentation.
Installed the SAML (ACS) and Enabled SAML TAI:
- Followed the detailed steps in the WebSphere SAML SSO Feature Documentation.
Modified the web.xml Files:
- Attached the modified web.xml files with their paths as names.
Configured Properties in the Interceptor:
- Configured the properties in the interceptor, as shown in the attached screenshots.
Exported and Uploaded Metadata Files:
- Exported the metadata file from WebSphere and uploaded it to Azure Entra.
- Exported the metadata file from Azure and uploaded it to WebSphere, following the documentation instructions.
I'll attach screenshots of my configuration so you can see exactly what I have done.
Could you please help me with the correct steps and configuration? Your assistance would be greatly appreciated.
thank you.
------------------------------
souleymen ben sedrine
arondor
Original Message:
Sent: 05-22-2024 15:27
From: Cameron Simpson
Subject: Maximo 7.6.1.3 Integration with Microsoft Azure SSO Using SAML Protocol
Hi,
Are you wanting IdP initiated or SP initiated? I have had IdP initiated working without a custom class for the SAML authentication request provider, but I did not keep a copy of the TAI settings for that - but it is possible if this is the workflow you need.
For SP initiated, you will need to create a SAML authentication request provider (I have not worked out a way around that). With that I can share the setup steps and settings we have configured. You can do some setup, send your Azure team a metadata file and they build the Azure Enterprise Application (ruleset their side) and then send you a metadata file to complete the setup in WebSphere. We are doing it manually as it makes more sense in our situation.
Thanks,
Cameron
------------------------------
Cameron
Original Message:
Sent: 05-08-2024 13:39
From: souleymen ben sedrine
Subject: Maximo 7.6.1.3 Integration with Microsoft Azure SSO Using SAML Protocol
hello
Im in the process of integrating Maximo Asset Management 7.6.1.3 with Microsoft Azure and require assistance to configure Single Sign-On (SSO) using the SAML protocol.
i would appreciate any guidance on configuring both the WebSphere application and the Microsoft Azure portal to facilitate this integration and thank you.
anything would help me .
#EverythingMaximo
------------------------------
souleymen ben sedrine
arondor
------------------------------