LDAP user registry synchronization

User registry synchronization simplifies Maximo Application Suite user management by synchronizing users and groups between an LDAP server and your local Maximo Application Suite user registry.

About user synchronization

Synchronization is one way, from the LDAP server to Maximo Application Suite, and all updates on the LDAP side are merged over at sync time.

If your environment is configured for LDAP authentication, you can sync the complete user and group registry, or you can sync a filtered subset of the LDAP user registry.

If your environment is configured for local or SAML authentication, you can specify an external LDAP server to sync the users and groups with.

During synchronization, the mapped LDAP users are automatically added as Maximo Application Suite users and labeled as owned by Cross-domain Identity Management (SCIM).

The synced users are initially added with only application entitlement but can be assigned administration entitlement if needed. Users can also be granted specific access to applications during the initial synchronization.

Generally, synced personal information cannot be updated by from Maximo Application Suite. Only user entitlement and application access can be managed from Maximo Application Suite. If the user authentication is local, passwords can also be managed from Maximo Application Suite.

Important: Because the synchronization is set on a schedule, discrepancies might be temporarily introduced between syncs. For example, if a previously synced user ID is removed from LDAP, that user ID is still permitted to log in to Maximo Application Suite until the user removal is synced. If the synced LDAP users are using Local authentication, the user ID still has access. If LDAP or SAML authentication is used, the login fails because the user is no longer active in LDAP.

Synchronization operations

The following user and group synchronization operations are supported.

User operations

Operation Description
Insert Adds a user if it does not exist in the Maximo Application Suite user registry. The user is initially set up with an identity provider (IDP) issuer, entitlement, and application access. If SMTP is configured, newly created users also receive a welcome email.
Update Updates a user if it exists in the Maximo Application Suite user registry. User entitlement and application access are not updated.
Skip Skips user update if there are no changes in the LDAP server since the last synchronization. The verified field is: ldap.meta.lastModified.
Delete Deletes the user from Maximo Application Suite if it was removed from the LDAP server.

Group operations

Operation Description
Insert Adds a group if it does not exist in the Maximo Application Suite user registry.
Update Updates a user if it exists in the Maximo Application Suite user registry. User entitlement and application access are not updated.

Groups are always updated, and Maximo Application Suite does not delete them as part of the synchronization process.

LDAP configuration attributes

Maximo Application Suite LDAP filter configuration is based on IBM Liberty.

The following configuration examples are based on Microsoft Active Directory. Refer to the IBM Liberty documentation for other types of user registries.

Parameter Details Example
URL The URL for the LDAP server in the format: protocol://hostname:port
Important: Secure LDAP (LDAPS) is the only allowed protocol. Non-TLS connections are not allowed.
Example: ldaps://MSAD2021.fyre.ibm.com:636
Base DN The top-level path in the directory server object hierarchy. Example: OU=FYRE,DC=MSAD2021,DC=fyre,DC=ibm,DC=com
Bind DN Bind DN is used to bind to an LDAP server. Administrators should have sufficient privileges to search for users under user search DN or groups under group search DN. Example: CN=wilson,OU=users,OU=FYRE,DC=MSAD2021,DC=fyre,DC=ibm,DC=com
Bind PW LDAP admin password
Certificate The TLS certificate for your LDAP Server. You can also add multiple certificates if you are using a certificate chain.
User Base DN The user-level path in the directory server object hierarchy. If not provided, the baseDN is used by default. Example: OU=users,OU=FYRE,DC=MSAD2021,DC=fyre,DC=ibm,DC=com
userFilter The query that is used to search the users in the directory. Example: (&(sAMAccountName=%v)(objectcategory=user))
userIdMap The field that is used for user IDs Example: user:sAMAccountName
Group Base DN The group-level path in the directory server object hierarchy. If not provided, the baseDN is used by default. Example: OU=groups,OU=FYRE,DC=MSAD2021,DC=fyre,DC=ibm,DC=com
groupFilter The query that is used to search the groups in the directory. Example: (&(cn=%v)(objectcategory=group))
groupIdMap The field that is used for group ID. Example: *:cn
groupMemberIdMap Indicates an LDAP filter that identifies the group memberships for users. Example: memberOf:member

SCIM - Maximo Application Suite user registry mapping

The Maximo Application Suite user data model is based on the SCIM specification. The following table shows the data mapping between Maximo Application Suite and SCIM attributes.

SCIM field Maximo Application Suite field
userName _id
userName username
name.formatted displayName
emails emails
phoneNumbers phoneNumbers
addresses addresses
emails emails
name.familyName familyName
name.givenName givenName
extension.employeeNumber extension.employeeNumber
extension.costCenter extension.costCenter
extension.organization extension.organization
extension.division extension.division
extension.department extension.department
extension.manager extension.manager

SCIM - LDAP default Liberty mapping

Maximo Application Suite user registry synchronization is based on IBM Liberty.

The following table lists the mapping between Liberty SCIM attributes and LDAP attributes.

Note: Only the fields that are used by Maximo Application Suite are listed. The only customized field in Maximo Application Suite is the userName. The other attributes use Liberty default values.

SCIM attribute to PersonAccount WIM Property

SCIM Attribute WIM/LDAP Attribute
Name
username principalName that is defined by userIdMap field
givenname cn
familyname sn
formatted displayname
Misc
title title
Phone numbers
mobile mobile
fax facsimileTelephoneNumber
Emails
emails mail *only one email supported
Address type home
streetAddress homeStreet
locality homeCity
region homeStateOrProvinceName
postalCode homePostalCode
country homeCountryName
All other address types
businessStreet businessStreet
locality businessCity
region businessStateOrProvinceName
postalCode businessPostalCode
country businessCountryName
Group mapping
displayName cn

Extension

The extension fields that are listed in the following table are not included in the Maximo Application Suite user interface. They are part of the Maximo Application Suite user object and might be used by applications.

The extension attribute is based on the urn:scim:schemas:extension:enterprise:1.0 schema of the SCIM specification.

The following table shows how the LDAP fields map to the Maximo Application Suite user object.

LDAP field Details
employeeNumber A string identifier, typically numeric or alphanumeric, that is assigned to a person, typically based on order of hire or association with an organization.
costCenter Identifies the name of a cost center.
organization Identifies the name of an organization.
division Identifies the name of a division.
department Identifies the name of a department.
manager The user's manager. A complex type that optionally allows service providers to represent organizational hierarchy by referencing the "ID" attribute of another user.

Limitations

The following limitations apply to user registry synchronization for Maximo Application Suite 8.4.