Maximo Application Suite Customer-managed

Authentication methods

Maximo® Application Suite supports MongoDB, Lightweight Directory Access Protocol (LDAP) authentication, and Security Assertion Markup Language (SAML) authentication methods for local user authentication.

Regardless of where authentication is managed, access management and user privileges authorization is managed by Maximo Application Suite.

Starting in Maximo Application Suite 8.11, you can configure local, SAML, or LDAP authentication to provide multiple login options that users can authenticate to when they log in. You can also specify a default identity provider to be the primary login option for users on the suite login page. For more information, see configuring default identity providers.

Local authentication by MongoDB

With local authentication, Maximo Application Suite provides single sign-on (SSO) for all fully integrated applications.

Attention: Starting in Maximo Application Suite 8.11, when you create a user, if an authentication type such as Local, LDAP, or SAML is not selected, the user cannot access Maximo Application Suite.

LDAP authentication

With LDAP, the user authentication is managed by your LDAP server. You can configure your Maximo Application Suite environment to use your own corporate LDAP server. Maximo Application Suite provides SSO for all fully integrated applications, and you can also configure external applications to use the same LDAP server.

With LDAP enabled, you can:

  • Select to use LDAP authentication when you create new users. LDAP uses its own username to link to Maximo Application Suite users.
  • Synchronize your LDAP user registry with Maximo Application Suite, immediately setting up your suite users from your existing user registry.
    Important: For synchronization, secure LDAP (LDAPS) is the only allowed protocol. Non-TLS connections are not supported.

You can configure Maximo Application Suite to use LDAP at setup or later. For more information about configuring Maximo Application Suite for LDAP, see Configuring LDAP authentication.

SAML authentication

With SAML, the user authentication is managed by your SAML server. When SAML is enabled, you can complete the following tasks:

  • Select to use SAML authentication when you create new users. SAML uses its own ID to link to Maximo Application Suite users.
  • Set up SSO for Maximo Application Suite and for any external application that supports SAML and that is accessed from the same browser.

You can configure Maximo Application Suite to use SAML at setup or later. For more information about configuring Maximo Application Suite for SAML, see Configuring SAML authentication.

Starting in Maximo Application Suite 8.11, SAML authentication supports the following types of global configuration:
Non-Default (either local or ldap is default)
When SAML is configured but not the default identity provider (IdP), the option to log in by using SAML is available on the Maximo Application Suite login page as an alternative option. If users select this option, they are directed to use the SAML authentication.
Set as the default identity provider with seamless login enabled
When SAML is set as the default IdP with seamless login enabled, the authentication occurs directly in the SAML IdP. With seamless login, users are directed to the SAML IdP to authenticate instead of the Maximo Application Suite login page.
Attention: If you enable seamless login, then the login page is not shown. If you need to display a security message to comply with federal regulations, make sure that seamless login is disabled. Otherwise, users do not see the system notification that might be enabled on the login page.
Set as the default identity provider with seamless login disabled
When SAML is set as the default IdP but with seamless login disabled, the option to log in by using SAML is available on the Maximo Application Suite login page as the primary login option.
For more information, see configuring default identity providers.
SAML standard also provides the following authentication methods that Maximo Application Suite supports.
Service Provider (SP) initiated
If users access any Maximo Application Suite endpoint, such as Manage or Monitor applications, an internal OIDC process is triggered in Maximo Application Suite where one of the following scenarios occurs:
  • If SAML is set as the default IdP but with seamless login disabled, the Maximo Application Suite login page is shown where users can either click Continue to redirect them to the SAML IdP login page or choose an alternative login option.
  • If SAML is set as the default IdP with seamless login enabled, the user is directed to the SAML IdP login page instead of the Maximo Application Suite login page.
  • If the user already logged in, the Maximo Application Suite application opens immediately.
IdP initiated

For IdP initiated, users access Maximo Application Suite from the SAML IdP portal. If SAML is set as the default IdP with seamless login enabled, the user goes directly to the Maximo Application Suite page that is setup in the IdP relayState parameter. IdP administrators can configure any Maximo Application Suite application, such as the Manage application, in the relayState so that the application page opens directly.

If you need to keep another IDP as the default while seamless IDP initiated login is still required, you can use a different endpoint for the relayState parameter: https://auth.<masdomain>/idplogin/idpinitiated. To access a specific application in Maximo Application Suite, use the following parameter values:
  • appid - The ID of the application that you want to access.
  • wsid - The ID of the workspace in your Maximo Application Suite environment.
  • apppath - An additional path that can be added as part of the URL.
For example, if you want all your users to have direct access to the Manage application in the workspace main, set the relayState parameter as https://auth.<masdomain>/idplogin/idpinitiated?appid=manage&wsid=main