LDAP user registry synchronization

User registry synchronization simplifies Maximo Application Suite user management by synchronizing users and groups between an LDAP server and your local Maximo Application Suite user registry.

About user synchronization

Synchronization is one way, from the LDAP server to Maximo Application Suite, and all updates on the LDAP side are merged over at sync time.

If your environment is configured for LDAP authentication, you can sync the complete user and group registry, or you can sync a filtered subset of the LDAP user registry.

If your environment is configured for local or SAML authentication, you can specify an external LDAP server to sync the users and groups with.

During synchronization, the mapped LDAP users are automatically added as Maximo Application Suite users and labeled as owned by Cross-domain Identity Management (SCIM).

The synced users are initially added with only application entitlement but can be assigned administration entitlement if needed. Users can also be granted specific access to applications during the initial synchronization.

Generally, synced personal information cannot be updated by from Maximo Application Suite. Only user entitlement and application access can be managed from Maximo Application Suite. If the user authentication is local, passwords can also be managed from Maximo Application Suite.

Important: Because the synchronization is set on a schedule, discrepancies might be temporarily introduced between syncs. For example, if a previously synced user ID is removed from LDAP, that user ID is still permitted to log in to Maximo Application Suite until the user removal is synced. If the synced LDAP users are using Local authentication, the user ID still has access. If LDAP or SAML authentication is used, the login fails because the user is no longer active in LDAP.

Synchronization operations

The following user and group synchronization operations are supported.

User operations

Operation	Description
Insert	Adds a user if it does not exist in the Maximo Application Suite user registry. The user is initially set up with an identity provider (IDP) issuer, entitlement, and application access. If SMTP is configured, newly created users also receive a welcome email.
Update	Updates a user if it exists in the Maximo Application Suite user registry. User entitlement and application access are not updated.
Skip	Skips user update if there are no changes in the LDAP server since the last synchronization. The verified field is: `ldap.meta.lastModified`.
Delete	Deletes the user from Maximo Application Suite if it was removed from the LDAP server.

Group operations

Operation	Description
Insert	Adds a group if it does not exist in the Maximo Application Suite user registry.
Update	Updates a user if it exists in the Maximo Application Suite user registry. User entitlement and application access are not updated.

Groups are always updated, and Maximo Application Suite does not delete them as part of the synchronization process.

LDAP configuration attributes

Maximo Application Suite LDAP filter configuration is based on IBM Liberty.

The following configuration examples are based on Microsoft Active Directory. Refer to the IBM Liberty documentation for other types of user registries.

Parameter	Details	Example
URL	The URL for the LDAP server in the format: `protocol://<hostname>:<port>` Important: Secure LDAP (LDAPS) is the only allowed protocol. Non-TLS connections are not allowed.	Example: `ldaps://MSAD2021.fyre.ibm.com:636`
Base DN	The top-level path in the directory server object hierarchy.	Example: `OU=FYRE,DC=MSAD2021,DC=fyre,DC=ibm,DC=com`
Bind DN	Bind DN is used to bind to an LDAP server. Administrators should have sufficient privileges to search for users under user search DN or groups under group search DN.	Example: `CN=wilson,OU=users,OU=FYRE,DC=MSAD2021,DC=fyre,DC=ibm,DC=com`
Bind PW	LDAP admin password
Certificate	The TLS certificate for your LDAP Server. You can also add multiple certificates if you are using a certificate chain.
User Base DN	The user-level path in the directory server object hierarchy. If not provided, the baseDN is used by default.	Example: `OU=users,OU=FYRE,DC=MSAD2021,DC=fyre,DC=ibm,DC=com`
userFilter	The query that is used to search the users in the directory.	Example: `(&(sAMAccountName=%v)(objectcategory=user))`
userIdMap	The field that is used for user IDs	Example: `user:<sAMAccountName>`
Group Base DN	The group-level path in the directory server object hierarchy. If not provided, the baseDN is used by default.	Example: `OU=groups,OU=FYRE,DC=MSAD2021,DC=fyre,DC=ibm,DC=com`
groupFilter	The query that is used to search the groups in the directory.	Example: `(&(cn=%v)(objectcategory=group))`
groupIdMap	The field that is used for group ID.	Example: `*:cn`
groupMemberIdMap	Indicates an LDAP filter that identifies the group memberships for users.	Example: `memberOf:member`

SCIM - Maximo Application Suite user registry mapping

The Maximo Application Suite user data model is based on the SCIM specification. The following table shows the data mapping between Maximo Application Suite and SCIM attributes.

SCIM field	Maximo Application Suite field
userName	_id
userName	username
name.formatted	displayName
emails	emails
phoneNumbers	phoneNumbers
addresses	addresses
emails	emails
name.familyName	familyName
name.givenName	givenName
extension.employeeNumber	extension.employeeNumber
extension.costCenter	extension.costCenter
extension.organization	extension.organization
extension.division	extension.division
extension.department	extension.department
extension.manager	extension.manager

SCIM - LDAP default Liberty mapping

Maximo Application Suite user registry synchronization is based on IBM Liberty.

The following table lists the mapping between Liberty SCIM attributes and LDAP attributes.

Note: Only the fields that are used by Maximo Application Suite are listed. The only customized field in Maximo Application Suite is the userName. The other attributes use Liberty default values.

SCIM attribute to PersonAccount WIM Property

SCIM Attribute	WIM/LDAP Attribute
Name
username	principalName that is defined by userIdMap field
givenname	cn
familyname	sn
formatted	displayname
Misc
title	title
Phone numbers
mobile	mobile
fax	facsimileTelephoneNumber
Emails
emails	mail *only one email supported
Address type home
streetAddress	homeStreet
locality	homeCity
region	homeStateOrProvinceName
postalCode	homePostalCode
country	homeCountryName
All other address types
businessStreet	businessStreet
locality	businessCity
region	businessStateOrProvinceName
postalCode	businessPostalCode
country	businessCountryName
Group mapping
displayName	cn

Extension

The extension fields that are listed in the following table are not included in the Maximo Application Suite user interface. They are part of the Maximo Application Suite user object and might be used by applications.

The extension attribute is based on the urn:scim:schemas:extension:enterprise:1.0 schema of the SCIM specification.

The following table shows how the LDAP fields map to the Maximo Application Suite user object.

LDAP field	Details
employeeNumber	A string identifier, typically numeric or alphanumeric, that is assigned to a person, typically based on order of hire or association with an organization.
costCenter	Identifies the name of a cost center.
organization	Identifies the name of an organization.
division	Identifies the name of a division.
department	Identifies the name of a department.
manager	The user's manager. A complex type that optionally allows service providers to represent organizational hierarchy by referencing the "ID" attribute of another user.

Limitations

The following limitations apply to user registry synchronization for Maximo Application Suite 8.4.

User synchronization is supported for a single LDAP server.
The only customized mapping property is userName. Other attributes are mapped by using IBM Liberty defaults.
User and group sync are done in the same job.
Syncing by using the SCIM sync API is not supported.