Single Sign On (SSO) and SAML Authentication

IBM Maximo and TRIRIGA on Cloud support Single Sign On (SSO) authentication via SAML 2.0. This is the most common method of authentication to IBM Cloud environments and can be configured after the initial customer environments have been provisioned and considered best practice. In a SAML scenario, the customer is the Identity Provider (IdP) and IBM Cloud is the Service Provider (SP). SAML authentication runs over the internet using HTTPS (Port 443), eliminating the need for a VPN or other special connectivity. IBM Cloud Delivery Services leverages the IBM WebSphere Trust Association Interceptor to enable SAML authentication for Maximo and TRIRIGA.

The basic steps involved in setting up SAML Authentication with a Maximo or TRIRIGA on Cloud environment are as follows:

Customer initiates the SAML configuration by submitting a case to the IBM Support Community indicating the target environment(s) in which they would like to configure SAML
IBM performs initial SAML configuration on the requested environment and generates a metadata file
Metadata file is sent to the customer
Customer uses metadata file to configure the IdP (metadata contains ACS URL and EntityID)
Customer performs IdP configuration and generates a metadata file
Metadata file is sent back to IBM. Please note:
- Customer Metadata must contain the Token Signing Certificate
- IdP should be configured to send an outgoing NameID claim in the Assertion (this is the only required value)
- NameID should use an AD attribute to match the loginID attribute (configured in Maximo) username field (configured in TRIRIGA)
IBM imports customer metadata and finalizes the target environment configuration
A call between customer and IBM is scheduled to enable the configuration and test user authentication. 30mins - 1 hour is usually sufficient

After the above configuration steps have been completed, user authentication flow will work similar to what is diagrammed below.

Browser user follows a link to the target IBM Cloud environment URL
Within IBM WebSphere, SAML TAI redirects user to Customer's IdP and they authenticate
A signed SAML response is created by Customer's IdP and sent by HTTP post to IBM Cloud
SAML TAI consumes response and logs in the user. An LTPA2 Token is created
Assertion consumer service redirects user to correct landing page within Maximo or TRIRIGA

===========================================================================

Notes & Known Limitations:

User syncronization (Maximo LDAPSYNC, VMMSYNC cron tasks) cannot be run over SAML (HTTPS)

These require LDAP connectivity. For example, if a User ID for a new employee is created in your LDAP Repository or through your IdP, it will not be automatically created as a user in Maximo or assigned to a Maximo security group. If only SAML Authentication is configured, all users must already exist in the Maximo database or get created (through an integration) by the customer. LDAP user synchronization can be configured for Maximo if a Site-to-Site IPsec VPN is in place. This will allow LDAP connectivity (Port 389) between IBM SaaS and the customer's LDAP repository. Once this connectivity is established, user synchronization parameters can then be configured. Use of Secure LDAP (LDAPS) is also possible if site-to-site VPN configuration is not an option. Further information / links:

Updating User Status from Active Directory to Maximo using LDAP
Maximo LDAP - VMMSYNC Filtering and Configuration

IdP initiated is the only SAML SSO flow supported

Technically, this is because neither the WebSphere SAML SP application, nor Maximo or TRIRIGA itself, is able to build and send a SAML AuthnRequest assertion back to the IdP, which is required for the SP initiated flow to work as designed. For authentication to succeed we expect an unsolicited SAML assertion to be sent, containing the correct signing certificate and the userid. If we've defined the IdP as trusted we will accept that it has correctly authenticated the user. This means that even when we setup a redirect from IBM Cloud to the IdP we still require the IdP is setup for IdP initiated SAML, and that we are provided an IdP URL that uniquely identifies the target environment.

Multi-factor authentication (MFA) or Two-factor authententication (2FA) Support

The Maximo and TRIRIGA SaaS offerings support multiple forms of SSO, including SAML, which relies on the customers chosen on-premise or cloud based identity provider to authenticate the user. In this flow, the identity provider is responsible for implementing any and all authentication factors required by the customers security policy. The Maximo or TRIRIGA SaaS environment does not itself implement MFA/2FA.

Maximo Anywhere

Maximo Anywhere technically began supporting SAML Authentication in v7.6.3, however development is required to enable the SSO handler with SAML authentication support based on the customer's IdP (Identity Provider). This is the customer’s responsibility. Use of LDAP (via site-to-site VPN) for Maximo Anywhere authentication is considered IBM SRE and Maximo SaaS best practice for Maximo Anywhere at this time.

TRIRIGA CAD Integrator

TRIRIGA CAD Integrator is client side application and does not support SAML authentication. CAD Integrator users must use native login. TRIRIGA SaaS customers who have SAML/SSO enabled can be assigned a context to their process server. This configuration will allow CAD Integrator users to use the proc server URL to login natively.

See below IBM Knowledge Center links for further requirements and limitations of single sign-on requests in Maximo and TRIRIGA Application Platform:

Maximo:
https://www.ibm.com/support/knowledgecenter/SSLKT6_7.6.1.1/com.ibm.mbs.doc/security/c_ctr_config_authn.html

TRIRIGA:
https://www.ibm.com/support/knowledgecenter/SSHEB3_3.6.0/com.ibm.tap.doc/sso_topics/c_sso_reqs.html

If you would like to configure any of the above, please submit a case to the IBM Support Community with your specific environment details to IBM for review.