Maximo Open Forum

Hi @Steven Shull,

We are having issues with "Maximo mobile for EAM" SSO login. Azure AD SSO configuration with SAML completed and working correctly with Maximo web application.  

Only in the mobile it's not redirecting to sso login page, instead showing error message as "Invalid server address or Server not available".
Attaching the error message along with trace log for reference. Appreciate if you can go through and let us know what's wrong with this. We haven't done any specific changes in Mobile application for this to work and not aware what changes to be done. 

Maximo 7613 with Mobile 9, Android tablets with out MDM.

Thanks,

Suresh.

You provided the trace from the WebSphere side but in these scenarios, it's helpful to have the mobile logs as well to confirm. Since you have the debug app, you can also inspect the network traffic via developer tools. Seeing the network request being made and the response (IE a 404 error) will help pinpoint what exactly is wrong.

Make sure you are providing the URL up to /maximo but nothing after it (IE do NOT have /maximo/webclient...) 

One of the first things to check is that the system property mxe.useSAML is enabled. Normally in an EAM system a MOBILELOGIN application is downloaded but it is not intended to be downloaded in SAML systems. This system property is always supposed to be enabled when you have SAML configured but wasn't required for desktop use cases and is necessary for mobile use cases.

Another thing is to ensure that the /maximo/oslc is not filtered in the SAML configuration of WebSphere. Some customers configure WebSphere to not intercept /maximo/oslc so they can authenticate using LDAP credentials. This prevents you from being redirected to your identity provider which is a problem. The filters are configured in a property like sso_1.sp.filter (expand Security and select Global Security. Expand Web and SIP Security and select Trust Association. Under Additional Properties select Interceptors). 

Finally, some customers have a configured web.xml that they have put on top of the install. There are API requests that are made to Maximo using the /maximo/api that need to work without authentication. This was a newer route added (I think in 7.6.1.1 of Maximo) that I have seen some customers not incorporate in their web.xml from before and then just copy & paste their old web.xml when they patch. When that happens and you hit the /maximo/api endpoint it just fails. The web.xml to review is maximo\applications\maximo\maximouiweb\webmodule\WEB-INF in your Maximo install and should have a servlet mapping like:

Hi @Steven Shull,

We are having issues with "Maximo mobile for EAM" SSO login. Azure AD SSO configuration with SAML completed and working correctly with Maximo web application.  

Only in the mobile it's not redirecting to sso login page, instead showing error message as "Invalid server address or Server not available".
Attaching the error message along with trace log for reference. Appreciate if you can go through and let us know what's wrong with this. We haven't done any specific changes in Mobile application for this to work and not aware what changes to be done. 

Maximo 7613 with Mobile 9, Android tablets with out MDM.

Thanks,

Suresh.

Hi @Steven Shull,

I verified the following and configured exactly as suggested by you.

-> mxe.useSAML : 1
-> maximo.mobile.ldap.isForm : 1, same configured in xml files as well.
->  

</servlet-mapping>

Came across this IBM technote (https://www.ibm.com/support/pages/unauthenticated-error-during-login-maximo-mobile-eam-using-saml), which says to redirect to Idp login page in case of any errors. Configured the same, now I can see the SSO form login page in the response as shown below, but the same log-in page not showing in the app. There is only one network call that I can see while inspecting the traffic. 

You provided the trace from the WebSphere side but in these scenarios, it's helpful to have the mobile logs as well to confirm. Since you have the debug app, you can also inspect the network traffic via developer tools. Seeing the network request being made and the response (IE a 404 error) will help pinpoint what exactly is wrong.

Make sure you are providing the URL up to /maximo but nothing after it (IE do NOT have /maximo/webclient...) 

One of the first things to check is that the system property mxe.useSAML is enabled. Normally in an EAM system a MOBILELOGIN application is downloaded but it is not intended to be downloaded in SAML systems. This system property is always supposed to be enabled when you have SAML configured but wasn't required for desktop use cases and is necessary for mobile use cases.

Another thing is to ensure that the /maximo/oslc is not filtered in the SAML configuration of WebSphere. Some customers configure WebSphere to not intercept /maximo/oslc so they can authenticate using LDAP credentials. This prevents you from being redirected to your identity provider which is a problem. The filters are configured in a property like sso_1.sp.filter (expand Security and select Global Security. Expand Web and SIP Security and select Trust Association. Under Additional Properties select Interceptors). 

Finally, some customers have a configured web.xml that they have put on top of the install. There are API requests that are made to Maximo using the /maximo/api that need to work without authentication. This was a newer route added (I think in 7.6.1.1 of Maximo) that I have seen some customers not incorporate in their web.xml from before and then just copy & paste their old web.xml when they patch. When that happens and you hit the /maximo/api endpoint it just fails. The web.xml to review is maximo\applications\maximo\maximouiweb\webmodule\WEB-INF in your Maximo install and should have a servlet mapping like:

Hi @Steven Shull,

We are having issues with "Maximo mobile for EAM" SSO login. Azure AD SSO configuration with SAML completed and working correctly with Maximo web application.  

Only in the mobile it's not redirecting to sso login page, instead showing error message as "Invalid server address or Server not available".
Attaching the error message along with trace log for reference. Appreciate if you can go through and let us know what's wrong with this. We haven't done any specific changes in Mobile application for this to work and not aware what changes to be done. 

Maximo 7613 with Mobile 9, Android tablets with out MDM.

Thanks,

Suresh.

maximo.mobile.ldap.isForm this should NOT be enabled. You should only enable that if you are using LDAP authentication (no SAML). Phrased another way, you can have mxe.useSAML or maximo.mobile.ldap.isForm, never both enabled. 

That login screen you're seeing is the Maximo login page, not the IDP page. That means your SAML configuration is not redirecting to the identity provider which means your SAML configuration is incorrect. Your IDP page would be Entra, Okta, Ping, etc. depending on whatever your identity provider is. 

Hi @Steven Shull,

I verified the following and configured exactly as suggested by you.

-> mxe.useSAML : 1
-> maximo.mobile.ldap.isForm : 1, same configured in xml files as well.
->  

</servlet-mapping>

Came across this IBM technote (https://www.ibm.com/support/pages/unauthenticated-error-during-login-maximo-mobile-eam-using-saml), which says to redirect to Idp login page in case of any errors. Configured the same, now I can see the SSO form login page in the response as shown below, but the same log-in page not showing in the app. There is only one network call that I can see while inspecting the traffic. 

You provided the trace from the WebSphere side but in these scenarios, it's helpful to have the mobile logs as well to confirm. Since you have the debug app, you can also inspect the network traffic via developer tools. Seeing the network request being made and the response (IE a 404 error) will help pinpoint what exactly is wrong.

Make sure you are providing the URL up to /maximo but nothing after it (IE do NOT have /maximo/webclient...) 

One of the first things to check is that the system property mxe.useSAML is enabled. Normally in an EAM system a MOBILELOGIN application is downloaded but it is not intended to be downloaded in SAML systems. This system property is always supposed to be enabled when you have SAML configured but wasn't required for desktop use cases and is necessary for mobile use cases.

Another thing is to ensure that the /maximo/oslc is not filtered in the SAML configuration of WebSphere. Some customers configure WebSphere to not intercept /maximo/oslc so they can authenticate using LDAP credentials. This prevents you from being redirected to your identity provider which is a problem. The filters are configured in a property like sso_1.sp.filter (expand Security and select Global Security. Expand Web and SIP Security and select Trust Association. Under Additional Properties select Interceptors). 

Finally, some customers have a configured web.xml that they have put on top of the install. There are API requests that are made to Maximo using the /maximo/api that need to work without authentication. This was a newer route added (I think in 7.6.1.1 of Maximo) that I have seen some customers not incorporate in their web.xml from before and then just copy & paste their old web.xml when they patch. When that happens and you hit the /maximo/api endpoint it just fails. The web.xml to review is maximo\applications\maximo\maximouiweb\webmodule\WEB-INF in your Maximo install and should have a servlet mapping like:

Hi @Steven Shull,

We are having issues with "Maximo mobile for EAM" SSO login. Azure AD SSO configuration with SAML completed and working correctly with Maximo web application.  

Only in the mobile it's not redirecting to sso login page, instead showing error message as "Invalid server address or Server not available".
Attaching the error message along with trace log for reference. Appreciate if you can go through and let us know what's wrong with this. We haven't done any specific changes in Mobile application for this to work and not aware what changes to be done. 

Maximo 7613 with Mobile 9, Android tablets with out MDM.

Thanks,

Suresh.