Maximo Open Forum

 View Only

 Users Management in SAML Authentication

  • Administration
  • Maximo Application Suite
Hitesh Sharma's profile image
Hitesh Sharma posted 09-26-2022 11:00

Hello Everyone,

My understanding on SAML authentication in MAS 8 is very limited so please let me know if I am missing a point here but my assumptions are:

  1. Users are created in MAS, a layer on top of Manage module. Unlike MX76, we can't directly create a user in Maximo, i.e. equivalent to Manage.
  2. With SAML, we can have an email id as the USERID that works as SSO in multiple systems.
  3. MAXUSER.USERID, MAXUSER.LOGINID and MAXUSER.PERSONID - all three are same when users are created
  4. By default, we don't get an option to pick a different PERSONID in MAS.

Now, based on above assumptions, I have few queries around SAML authentication specifically:

  1. Is there a way to have a different Login ID and User ID and have only Login ID authenticated via SSO and not USERID?
  2. If yes, is it possible in all three authentication types, local, LDAP and SAML?
  3. If we delink USERID and PERSONID created in MAS, and locally create a PERSONID in People application and associate it with SAML USERID, does it break anything?
Michael Marsonet's profile image
Michael Marsonet posted 09-27-2022 08:34
Hi Hitesh,
Let me clarify some of your understanding points first:

1. You can manually create users in Maximo Manage by adjusting the correct System Properties or use MXLoader to create the PERSON and USER records. MXLoader may be better suited since you want to control the USERID, LOGINID and PERSONID (Item #3). Now if you do this, there is a new CRONTASK definition called MASUSERSYNC which will take your existing Maximo Manage​ users and sync back to MAS. More details here https://www.ibm.com/support/pages/owner-and-issuer-cron-task-instance
2. With SAML you simply want to match the LOGINID with the id on your identity provider (IdP). This can be an email or a username (i.e., firstname.lastname). 
3. I would use MXLoader to create new accounts this way you can control what values you want for MAXUSER.USERID, MAXUSER.LOGINID and PERSON.PERSONID
4. I would likely avoid using MAS to create new user accounts and continue to define them through Maximo Manage. 

Hope this helps,
Mike
Steven Shull's profile image
Steven Shull posted 09-27-2022 10:51
Michael's feedback here is good. Two things I wanted to add is that in MAS 8.8 we added the ability to have a different USERID & LOGINID. We made the terminology a bit confusing (User ID is the unique ID that cannot be changed and Username is the editable field that gets used as loginid) but it is possible to do now. Your PERSONID will match USERID on new records which is a good practice anyways.

Regarding the three authentication types, yes! This was one of the benefits to us providing our own identity provider. Users can mix and match SAML, LDAP, & Native auth (called Local auth now) for the first time in a supported way. Today you are limited to 1 of each (IE 1 LDAP and/or 1 SAML) but we have plans to address that over time. We also plan to improve the user import scenarios so you can bulk import users with a file, API, etc. directly into MAS.
Christopher Winston's profile image
Christopher Winston posted 09-27-2022 13:41
The interestingly good news is that the field lengths are all the same for personid, loginid, userid. 

LABORCODE however, still defaults to 8, so that is something else to consider early on if possible.
Hitesh Sharma's profile image
Hitesh Sharma posted 09-28-2022 06:23
Thanks Mike, Steven and Christopher for responding to my query. I tried to create a local user from MIF and kept USERID and PERSONID same and a different LOGINID. Record got created and Cron task instance ran but couldn't sync it up with MAS. When I tried the same keeping all three same, then in MAS, I could see that newly created user from Manage.

I also checked these classes and methods but couldn't find it:
psdi.server.MASUserSyncCronTask | Method: cronAction()
psdi.iface.micMicService methods: syncUsersToMAS() and syncUserData().

  1. Do we know where is this check happening exactly and if we can suppress it to keep LOGINID and USERID different?
  2. If we use Enterprise Service MASPERUSER and set a different userid, it will create discrepancies b/w MAS and Manage, and with Sync on, it is anyway not working if all three values are not same.

Related Content