Maximo Open Forum

 View Only

 Need Help Configuring SP-Initiated SSO for Maximo Mobile (7.6.13) with Azure AD - Biometric Question

  • Mobility
Alex Forbes's profile image
Alex Forbes posted 04-11-2025 16:24

Hello everyone, 

Our team is currently working on setting up SSO for Maximo Mobile ver. 8.11 using Azure Active Directory as our Identity Provider. Our Maximo environment is running version 7.6.13 on WebSphere 9.0.5.19.

We have successfully installed Maximo Mobile and believe WebSphere is configured correctly to work with IdP. Currently, when we access Maximo Mobile on an iOS device, it redirects us to Azure AD for authentication. After successful Azure authentication, we are then taken to the standard Maximo login page within the app, where we need to enter our Maximo credentials again before the mobile application becomes fully functional.

Our goal is to implement SP-initiated SSO so that users are directly authenticated into Maximo Mobile via Azure AD without the secondary Maximo login prompt. We are uncertain about the specific configuration steps required within Maximo 7.6.13 and WebSphere 9 to achieve this SP-initiated flow.

Our specific questions are:

  1. What are the necessary configuration steps within Maximo 7.6.13 and WebSphere 9.0.5.19 to enable SP-initiated SSO with Azure AD for Maximo Mobile 8.11? Any detailed guides, specific settings, or best practices would be greatly appreciated.

  2. We are planning to deploy Maximo Mobile on Windows-based tablets. We've noticed that the Maximo Mobile app seems to require the use of biometrics for login on these devices. Is there a way to disable the mandatory use of biometrics within Maximo Mobile App 8.11? Our current corporate policies do not support the use of Windows Hello / biometrics on these tablets. 

Any insights, advice, or pointers to relevant documentation would be extremely helpful as we work to streamline our mobile access.

Thank you in advance for your time and assistance!

Steven Shull's profile image
Steven Shull posted 04-15-2025 09:10

I'll start with the second question first. For Windows specifically (not iOS/Android yet, though this will be changing in 9.1) we have two methods to disable Windows hello. If you are using a MDM like Intune, you should follow this: https://www.ibm.com/docs/en/masv-and-l/maximo-manage/cd?topic=mmiw-configuring-maximo-mobile-application-settings-windows-mobile-device-manager

If you are not using a MDM, you can follow the steps here and set the enableWindowsHello to false https://www.ibm.com/docs/en/masv-and-l/maximo-manage/cd?topic=mmiw-configuring-maximo-mobile-application-settings-windows-from-command-line


Regarding 1, the Maximo Mobile configuration is identical to configuring SAML for Maximo. Some customers have configured a filter to ignore the /maximo/oslc route historically to enable authentication with LDAP credential for integrations that would not work for Maximo Mobile. However, in your example it sounds like that piece is configured correctly since WebSphere is triggering the redirect to the identity provider. It sounds like your issue might be with the target URL in WebSphere or that you haven't mapped the trust all authenticated realms to the application. 

Related Content