Maximo Open Forum

Correct, there is no JIT provisioning of SAML users and we don't (yet) support the SCIM standard for automating the push of the user from your identity provider. This is on our roadmap (https://ibm-ai-apps.ideas.ibm.com/ideas/MSS1-I-27) but no specific release date and will only be valid for MAS (not the EAM 7.6.1.X product). 

Unfortunately, in the interim you need to build your own way of pushing in users. Most people integrate with the API of the Identity Provider such as the MS Graph API for Azure AD to handle in the interim. 

Hi Steven,

Thanks for your reply. We will have LDAP for internal users for external we are using SAML configuration . SO basically there will be 2 authentication 1 is for internal with AD and LDAP another for external user with SAML. My question is even if we push the external users through Identity provider then what we suspect is as LDAP is there VMSYNC will run and remove these external users as these users are not AD users. Is there any way to filter and restrict the users not to be revoked when come through Identity provider. Please let us know if any additional filter can be set at VMSYNC level to manage this.

Regards,

Pradeep

Correct, there is no JIT provisioning of SAML users and we don't (yet) support the SCIM standard for automating the push of the user from your identity provider. This is on our roadmap (https://ibm-ai-apps.ideas.ibm.com/ideas/MSS1-I-27) but no specific release date and will only be valid for MAS (not the EAM 7.6.1.X product). 

Unfortunately, in the interim you need to build your own way of pushing in users. Most people integrate with the API of the Identity Provider such as the MS Graph API for Azure AD to handle in the interim. 

There are parameters on the VMMSYNC to filter but users that do not exist in LDAP should not be impacted from a user perspective. IE you can add a user that does not reside in LDAP and it should not deactivate the user because it wasn't found in LDAP. Now where you may be impacted is group synchronization. If you have a group that exists in LDAP and the user is not part of the group, they will be removed any time the synchronization occurs. Not all customers use this process to synchronize groups but if you do, you will need alternate security groups that do not exist in LDAP for users that are coming from SAML.

Hi Steven,

Thanks for your reply. We will have LDAP for internal users for external we are using SAML configuration . SO basically there will be 2 authentication 1 is for internal with AD and LDAP another for external user with SAML. My question is even if we push the external users through Identity provider then what we suspect is as LDAP is there VMSYNC will run and remove these external users as these users are not AD users. Is there any way to filter and restrict the users not to be revoked when come through Identity provider. Please let us know if any additional filter can be set at VMSYNC level to manage this.

Regards,

Pradeep

Correct, there is no JIT provisioning of SAML users and we don't (yet) support the SCIM standard for automating the push of the user from your identity provider. This is on our roadmap (https://ibm-ai-apps.ideas.ibm.com/ideas/MSS1-I-27) but no specific release date and will only be valid for MAS (not the EAM 7.6.1.X product). 

Unfortunately, in the interim you need to build your own way of pushing in users. Most people integrate with the API of the Identity Provider such as the MS Graph API for Azure AD to handle in the interim. 

Hi Steven,

Thanks for your reply. What I understood you are referring to duplicate the security groups which are currently part of LDAP and rename it so that system will distinguish and  new groups will be linked to the external users . 

Thanks.

There are parameters on the VMMSYNC to filter but users that do not exist in LDAP should not be impacted from a user perspective. IE you can add a user that does not reside in LDAP and it should not deactivate the user because it wasn't found in LDAP. Now where you may be impacted is group synchronization. If you have a group that exists in LDAP and the user is not part of the group, they will be removed any time the synchronization occurs. Not all customers use this process to synchronize groups but if you do, you will need alternate security groups that do not exist in LDAP for users that are coming from SAML.

Hi Steven,

Thanks for your reply. We will have LDAP for internal users for external we are using SAML configuration . SO basically there will be 2 authentication 1 is for internal with AD and LDAP another for external user with SAML. My question is even if we push the external users through Identity provider then what we suspect is as LDAP is there VMSYNC will run and remove these external users as these users are not AD users. Is there any way to filter and restrict the users not to be revoked when come through Identity provider. Please let us know if any additional filter can be set at VMSYNC level to manage this.

Regards,

Pradeep

Correct, there is no JIT provisioning of SAML users and we don't (yet) support the SCIM standard for automating the push of the user from your identity provider. This is on our roadmap (https://ibm-ai-apps.ideas.ibm.com/ideas/MSS1-I-27) but no specific release date and will only be valid for MAS (not the EAM 7.6.1.X product). 

Unfortunately, in the interim you need to build your own way of pushing in users. Most people integrate with the API of the Identity Provider such as the MS Graph API for Azure AD to handle in the interim. 

I think we're on the same page but to be sure:

If a security group (IE MAXADMIN) exists in LDAP and isn't filtered out by the group filter, then the VMMSYNC will add/remove users from the security group based on what exists in the domain. If user A is a non-LDAP user and you add them to MAXADMIN, they will be removed on the next synchronization. 

If a security group (IE SAMLMAXADMIN) does not exist in LDAP (or is filtered out), then any users in that group will need to be manually added/removed. This could include a SAML or LDAP user and neither will have the group removed on synchronization. You can duplicate/clone an existing security group to get it started but it's entirely managed by the customer.

Hi Steven,

Thanks for your reply. What I understood you are referring to duplicate the security groups which are currently part of LDAP and rename it so that system will distinguish and  new groups will be linked to the external users . 

Thanks.

There are parameters on the VMMSYNC to filter but users that do not exist in LDAP should not be impacted from a user perspective. IE you can add a user that does not reside in LDAP and it should not deactivate the user because it wasn't found in LDAP. Now where you may be impacted is group synchronization. If you have a group that exists in LDAP and the user is not part of the group, they will be removed any time the synchronization occurs. Not all customers use this process to synchronize groups but if you do, you will need alternate security groups that do not exist in LDAP for users that are coming from SAML.

Hi Steven,

Thanks for your reply. We will have LDAP for internal users for external we are using SAML configuration . SO basically there will be 2 authentication 1 is for internal with AD and LDAP another for external user with SAML. My question is even if we push the external users through Identity provider then what we suspect is as LDAP is there VMSYNC will run and remove these external users as these users are not AD users. Is there any way to filter and restrict the users not to be revoked when come through Identity provider. Please let us know if any additional filter can be set at VMSYNC level to manage this.

Regards,

Pradeep

Correct, there is no JIT provisioning of SAML users and we don't (yet) support the SCIM standard for automating the push of the user from your identity provider. This is on our roadmap (https://ibm-ai-apps.ideas.ibm.com/ideas/MSS1-I-27) but no specific release date and will only be valid for MAS (not the EAM 7.6.1.X product). 

Unfortunately, in the interim you need to build your own way of pushing in users. Most people integrate with the API of the Identity Provider such as the MS Graph API for Azure AD to handle in the interim. 

Thanks Steven.

We will validate this and appreciate your help on this regard. 

I think we're on the same page but to be sure:

If a security group (IE MAXADMIN) exists in LDAP and isn't filtered out by the group filter, then the VMMSYNC will add/remove users from the security group based on what exists in the domain. If user A is a non-LDAP user and you add them to MAXADMIN, they will be removed on the next synchronization. 

If a security group (IE SAMLMAXADMIN) does not exist in LDAP (or is filtered out), then any users in that group will need to be manually added/removed. This could include a SAML or LDAP user and neither will have the group removed on synchronization. You can duplicate/clone an existing security group to get it started but it's entirely managed by the customer.

Hi Steven,

Thanks for your reply. What I understood you are referring to duplicate the security groups which are currently part of LDAP and rename it so that system will distinguish and  new groups will be linked to the external users . 

Thanks.

There are parameters on the VMMSYNC to filter but users that do not exist in LDAP should not be impacted from a user perspective. IE you can add a user that does not reside in LDAP and it should not deactivate the user because it wasn't found in LDAP. Now where you may be impacted is group synchronization. If you have a group that exists in LDAP and the user is not part of the group, they will be removed any time the synchronization occurs. Not all customers use this process to synchronize groups but if you do, you will need alternate security groups that do not exist in LDAP for users that are coming from SAML.

Hi Steven,

Thanks for your reply. We will have LDAP for internal users for external we are using SAML configuration . SO basically there will be 2 authentication 1 is for internal with AD and LDAP another for external user with SAML. My question is even if we push the external users through Identity provider then what we suspect is as LDAP is there VMSYNC will run and remove these external users as these users are not AD users. Is there any way to filter and restrict the users not to be revoked when come through Identity provider. Please let us know if any additional filter can be set at VMSYNC level to manage this.

Regards,

Pradeep

Correct, there is no JIT provisioning of SAML users and we don't (yet) support the SCIM standard for automating the push of the user from your identity provider. This is on our roadmap (https://ibm-ai-apps.ideas.ibm.com/ideas/MSS1-I-27) but no specific release date and will only be valid for MAS (not the EAM 7.6.1.X product). 

Unfortunately, in the interim you need to build your own way of pushing in users. Most people integrate with the API of the Identity Provider such as the MS Graph API for Azure AD to handle in the interim.