Configuring Maximo Application Suite to synchronize user and groups with SCIM 2.0

Starting in Maximo® Application Suite 9.0, you set up the user and group synchronization in the identity provider by using the SCIM 2.0 API endpoints from Maximo Application Suite. You initially create an API Key in Maximo Application Suite to generate a JSON Web Token.

About this task

To invoke the new SCIM 2.0 APIs with the identity provider, an authentication token, which is called a JSON Web Token, is required. This token is obtained by using a Maximo Application Suite API key. The API key requires user admin permissions.

By default the JSON Web Token has a short expiry time and requires frequent regeneration and reconfiguration of the connection details in the identity provider. You can specify an expiry duration for the token as part of the authenticated request by specifying an HTTP Header as part of the request, with the name mas-jwt-expiry-duration and a value that is an ISO8601 duration. For example, you can specify P90D for 90-day expiry.

Starting in Maximo Application Suite 9.1.7 and 9.0.18, you can generate the JSON Web Token with an expiration greater than 90 days or without any expiration time. For example, you can specify the mas-jwt-expiry-duration header name as P100Y for a 100-year duration or NEVER to never expire.

Procedure

  1. In Maximo Application Suite Suite administration, create an API key.
    1. From the side navigation menu, click API keys and click Create API key.
    2. Enter the description and specify the authentication token expiry.
    3. For suite administrative access that is applicable to the API key, select User management .
    4. Click Submit.
    5. Copy the API key and authentication token details.
      If authentication token details are lost, you cannot recover the details. To create a token, you must create an API key.
  2. To generate a JSON Web Token, issue a GET request to the /v1/authenticate API with Basic Auth.
    For more information about generating a GET request, see Get all API keys and Get specific API key.
    1. Specify Basic Auth as the authentication type.
    2. Enter the API key ID and authentication token as username and password.
    3. Specify a custom expiry duration for the token as part of the authenticated request. For example, enter P90D for a 90-day duration.
      Starting in Maximo Application Suite 9.1.7 and 9.0.18, you can enter one of the following values.
      • Enter P100Y for a 100-year duration.
      • Enter NEVER for no expiration date.

      The JSON Web Token is generated, which you can use in the API calls that you want to make. The response to the authenticated request contains a token field.

    4. Copy the JSON Web Token details.
      For more information, see Obtain a JWT token using API key credentials.
  3. Create a Maximo Application Suite SCIM profile to specify the Maximo Application Suite configuration that is applied to users and groups when they are synchronized from the identity provider to Maximo Application Suite.
    For more information, see Create a new MAS SCIM profile.
  4. Configure the identity provider.
    1. In the identity provider, create an application to represent Maximo Application Suite.
    2. Enable the SCIM 2.0 provisioning in the application.
      1. Specify the base URL for integration by using https://api.{mas-instance-id}.{domain}/scim/v2/{profileId}.
      2. Provide the JSON Web Token for the header-based authentication that you created from the API key.
      3. Validate that the identity provider can connect to Maximo Application Suiteand issue SCIM requests.
  5. Assign users and groups to the application in the identity provider to initiate the synchronization of users and groups with Maximo Application Suite.