Configuring Service Portal for single sign-on

You can configure Service Portal for single sign-on (SSO) authentication.

Before configuring Service Portal for SSO, follow the below section and ensure that the IBM Control Desk is already configured for SSO. The supported Identity Providers are Okta, Azure, and Active Directory Federation Services (ADFS).

Configuring SSO for IBM Control Desk

You can configure the application server to use Security Assertion Markup Language (SAML). SAML is an authentication protocol that authenticates your session with an Identity Provider (IdP) rather than directly with IBM Control Desk.
Note: For SAML to work correctly, you must authenticate with an identity provider (IdP) and configure a trust association interceptor (TAI).
  1. Open the following 4 XML files and do steps 2 and 3.
    1. /maximo/maximouiweb/webmodule/WEB-INF/web.xml
    2. /maximo/meaweb/webmodule/WEB-INF/web.xml
    3. /maximo/maxrestweb/webmodule/WEB-INF/web.xml
    4. /maximo/maboweb/webmodule/WEB-INF/web.xml
  2. Set the value of <useAppServerSecurity> to 1.
  3. Uncomment the <security-constraint> section and save the files.
  4. Open the /maximo/maximouiweb/webmodule/WEB-INF/web.xml file again.
    • Uncomment the <login-config> sections for FORM login.
    • Add below lines inside <security-constraint> tag to enable SSO for service portal.
      <web-resource-collection>
            <web-resource-name>Service Portal utility pages</web-resource-name>
            <description>pages accessible by authorised users</description>
            <url-pattern>/webclient/serviceportal/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
  5. Connect to the database and execute the below query to set the mxe.useSAML and mxe.AppServerSecurity properties to 1.
    • update maxpropvalue set propvalue=1 where propname='mxe.useSAML'
    • update maxpropvalue set propvalue=1 where propname=’mxe.useAppServerSecurity’
  6. Optional: If your system does not use a / as a domain separator, set the mxe.userRealmSeparator property to the domain separator that you use.
  7. Rebuild and redeploy the maximo.ear file.
    Note: By default, when you build and deploy the maximo.ear, it assumes the presence of a maximousers group in the local repository and is used to map any users in this group to a maximouser role. In the WebSphere® Application Server, you can bypass the mapping and authorize everyone who is trusted in this realm to log in to IBM Control Desk.

For detailed information about SAML web single sign-on, see https://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.multiplatform.doc/ae/cwbs_samlssoconcepts.html.

Configuring SSO for Service Portal

To configure SSO, edit the following properties in config.js:
enable_sso
Set to 1 to enable SSO for Service Portal. This enables SSO and authentication is delegated to the Identity Provider configured in Maximo. Set to 0 to adopt the default behavior of the login page.
sp_auth_provider_url
This is the JavaServer pages resource URL in the Maximo WebSphere context. It is configured by default, but you can edit it. Note that sp_auth_provider_url must be set if enable_sso is set to 1.
sp_full_url
Optional. This property is required when there is a system in front of the Service Portal, for example, a gateway or load balancer. This property must be set to the full path of the load balancer or the gateway.
sso_logout_page
If enable_sso = 0, this value is unused. If enable_sso = 1, it is optional and refers to the landing page after you log off from any Service Portal application. When you click Sign Out, instead of an authentication credentials invalidation, you are redirected to leave Service Portal. If enabled_sso = 1 and sso_logout_page is not set, the Sign Out button is removed from all applications, and the only way to exit Service Portal is to close the browser or browser tab.