Starting in IBM® Maximo® Application Suite 9.0, you can configure multiple identity
providers for the same authentication type, such as SAML or LDAP, by using API and command-line
interfaces. Starting in 9.1, you can also configure multiple OIDC identity providers for user
authentication.
Before you begin
Generate an API key and ensure that the API key that you generate has system admin permission.
For more information about generating an API key, see Maximo Application Suite Admin APIs.
Procedure
- Configure the SAML authentication type
- Run the following command:
curl --location \
--request PUT https://api.<masDomain>/config/saml/<idpId> \
--header "x-access-token: <access token>" \
--header "Content-Type: application/json" \
--insecure \
--data '{
"spInitiatedLogout": true,
"displayName": "SAML",
"issuer": "saml",
"serviceProviderName": "<service provider>",
"nameIDFormat": "<name ID format>"
}'
Where
- <masDomain>
- The domain name for the Maximo Application Suite instance.
- <idpID>
- The unique name for the identity provider.
- <access token>
- The authentication token that was obtained from the API key generation.
- <service provider>
- The unique name of the service provider.
- <name ID format>
- The format that is used for the name ID. Use one of the following values:
customize
email
encrypted
entity
kerberos
persistent
unspecified
windowsDomainQualifiedName
x509SubjectName
- Download the SAML configuration .xml
file.
- Access the following
URL:
https://auth.<masDomain>/ibm/saml20/<serviceProviderName>/samlmetadataTip: Wait for few minutes for the URL to become
available.
- Upload the SAML configuration .xml file to your
identity provider.
- Download the SAML metadata from your identity provider.
- Run the following command to upload the SAML metadata from your identity
provider to Maximo Application Suite
curl --location \
--request PUT https://api.<masDomain>/config/saml/<idpId>/metadata \
--header "x-access-token: <access token>" \
--insecure \
--form 'file=@"<file path>/<metadata filename>.xml"'
Where
- <masDomain>
- The domain name for the Maximo Application Suite instance.
- <idpID>
- The unique name for the identity provider.
- <access token>
- The authentication token that was obtained from the API key generation.
- <file path>
- The location to which the metadata file is downloaded.
- <metadata filename>
- The name of the metadata file that is downloaded.
The command generates the required resources.
Tip: Wait for the operator to reconcile and the user interface to refresh and
reflect the updates.
- Configure the LDAP authentication type
- Run the following command:
curl --location \
--request PUT https://api.<masDomain>/config/ldap/<idpId> \
--header "x-access-token: <access token>" \
--header "Content-Type: application/json" \
--insecure \
--data '{
"displayName": "LDAP",
"url": "ldaps://<ldap url>",
"baseDN": "dc=example,dc=com",
"bindDN": "uid=<user id>,dc=example,dc=com",
"bindPassword": "<password>",
"userIdMap": "cn",
"certificates": [
{
"alias": "intermediate",
"crt": "-----BEGIN CERTIFICATE-----<cert value><snip>-----END CERTIFICATE-----"
}
]
}'
Where
- <masDomain>
- The domain name for the Maximo Application Suite instance.
- <idpID>
- The unique name for the identity provider.
- <access token>
- The authentication token that was obtained from the API key generation.
- <user id>
- The name of the user for authentication.
- <password>
- The password that is set for the user.
- <cert value>
- The values or content available in the certificate.
The command generates the required resources.
Tip: Wait for the operator to reconcile, and the user interface to refresh and
reflect the updates.