IBM Support

Device-Side SSO with Maximo Anywhere

Technical Blog Post


Abstract

Device-Side SSO with Maximo Anywhere

Body

Some customers have successfully configured Maximo Anywhere to automatically sign on without prompting the end user for credentials.  This capability requires that your iOS, Windows, or Android device is configured to understand the user identity.  Your user identification server must also support a local API on the device that can be called to return the user identity information to the Maximo Anywhere application.  Usually customers also have an authenticating proxy server that understands this global user identity configured in front of their MobileFirst and Maximo server.  This means that MobileFirst and Maximo do not authenticate the user directly, they are configured through SSO to trust the authentication that the Authenticating Proxy provides.

This device-side SSO can be customized in versions of Maximo Anywhere 7.6 and above by following these steps.

 

Update the Login Panel:

Edit the apps/<appname>/platform-artifacts/login/app.xml file to hide the username and password fields, this indicates to our platform that a device-side SSO is taking place.  Comment out everything between these two blocks:

<!-- Comment out the username and password to enable device-side SSO -->

<!-- end of the comment block to enable device-side SSO -->

You will need to hide the username and password fields in both the view and the resource section of that file.

We also recommend that you comment out the Change Password and Logout options when using these capabilities as you would have to write much more custom code to support Change Password and Logout in these scenarios.

Retrieve the Credentials from the device:

Override the SSOHandler's retrieveUserNameFromSSO function to retrieve the username and credentials from your local device.  You will usually have to write a custom Cordova plugin that can call out to native code to retrieve these credentials from your device.

 

Pass the Credentials to your Proxy Server:

Override the CustomChallengeHandler's handleChallenge method, to receive the credentials from the SSOHandler.retrieveUserNameFromSSO method, and pass them through to the UserAuthenticator.realmAuthentication method.

Override the CustomChallengeHandler's login method to then send those credentials to your authenticating proxy server in a format that it understands.  Your proxy server needs to be configured to return a 401 response if the credentials are wrong, or a cookie doesn't exist, and a 200 if the credentials are correct.  Once authentication is successful, the proxy server should set a cookie on the request to the MobileFirst server that's valid on the backend Maximo server. 

Override the CustomChallengeHandler's isCustomResponse method to detect when your authenticating proxy server is challenging for these credentials.  (To handle the case of a session timeout).

Configure the MaximoAnywhere runtime to trust the Authenticating Proxy Server:

Since the authenticating proxy is performing all of the authentication, we want for the standard Maximo Anywhere Login Module to just act as a noop pass through and allow all traffic back to the Maximo server.  We assume that your Maximo server will be looking for a cookie to be set by the proxy server.  We have provided an out of the box authentication module that supports this noop.  It merely confirms that a cookie exists in the inbound request for data.  As long as that cookie exists, we allow the request through to the Maximo server.

Change your MaximoAnywhere/server/conf/authenticationConfig.xml file to use this noop authentication module and rebuild/redeploy your MaximoAnywhere war.  It's realms and loginModule section should look like this:

 <realms>
        <!-- For other proxy servers -->
         <realm name="CustomAuthenticationRealm" loginModule="AnywhereProxyLoginModule">
            <className>com.ibm.tivoli.si.auth.AnywhereProxyCustomAuthenticator</className>
        </realm>
    </realms>

<loginModules>
        <!-- For other proxy servers -->
        <loginModule name="AnywhereProxyLoginModule">
            <className>com.ibm.tivoli.si.auth.AnywhereProxyCustomLoginModule</className>
        </loginModule>
    </loginModules>

 

 

 

This usecase has certain limitations (that devices are not shared by multiple users). 

We recommend installing Wireshark on the MobileFirst server and watching the inbound requests to make sure your proxy server is correctly passing the cookie to the MobileFirst and Maximo server.

 

 

[{"Business Unit":{"code":"BU005","label":"IoT"}, "Product":{"code":"SSLKT6","label":"Maximo Asset Management"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":""}]

UID

ibm11130499