IBM Support

MaaS360 SAML Integration Setup

How To


Summary

MaaS360 is configurable to use SAML-based authentication for User Enrollment, End User Portal Authentication, and Administrator login to the MaaS360 Portal. A IBM Secure Verify tenant is required and provided to you at no cost. MaaS360 utilizes IBM Secure Verify as an identity broker. This tenant is created during the setup process, so no additional steps are needed. The same IBM Secure Verify tenant is used for all SAML-based authentication.

Steps

Configure SAML login for User Enrollment and End User Portal login (MaaS360 End User Portal Service required)
  1. Initiate and create your IBM Secure Verify broker from the MaaS360 Portal. 
    • From the IBM MaaS360 Portal Home page, go to Setup > Settings > Directory and Enrollment > Directory and Authentication.
    • Click Add Authentication Type in the User Authentication Setup section.
    • Select Cloud directory in the Directory Type and SAML based in the Cloud directory type, and click Next.
    • If this is the first time you are configuring the SAML workflow, provide an IBMid to create and configure IBM Security Verify. Click here to create an IBMid if you do not have one. If you already have an IBM Security Verify tenant you will not see this option. 
    • Enter an arbitrary Identity Provider Name. Use the Assertion Consumer Service URL, Entity ID, and MaaS360 Login URL to configure the MaaS360 App within your Identity Provider by following the steps below.
  2. Register MaaS360 as an Application within your Identity Broker.
    • Entity Id: Place this in your Identity Provider's Entity ID field. Your provider may refer to this as 'Entity ID', 'Identifier,' 'Audience,' or similar alias.
    • Assertion Consumer Service URL: Place this in your Identity Provider's Consumer ID field. Your provider may refer to this as 'Assertion Consumer Service URL', 'Recipient,' 'Reply URL,' or similar alias. Place the URL in all applicable fields. 
    • MaaS360 Login URL: Place this in your Identity Provider's Login URL field. Your provider may list this as optional and refer to this as RelayState', 'Sign on URL,' or similar alias. Place the URL in all applicable fields. 
    • Your Identity Provider may list two additional options.
      • Set 'SAML initiator' to Service Provider.
      • Set 'SAML signature element' to Both.
    • Assign users and groups to use the new app based on your company's requirements.
    • Download a copy of the newly registered app's metadata file. Open this file using any text editor. Remove the SingleSignOnService with the location that contains 'saml2/soap/sso' within its URL. Upload the modified version to MaaS360 and click Save. 
  3. Save your MaaS360 Settings.
  4. Follow Adding Users in the IBM MaaS360 Portal to add user accounts directly or import user accounts from supported directory services.
Configure SAML login for Administrator Login
  1. Initiate and create your IBM Secure Verify broker from the MaaS360 Portal. 
    • From the IBM MaaS360 Portal Home page, go to Setup > Settings > Administrator Settings > Advanced > Login Settings.
    • Check Federated Single Sign-On and mark Use SAML for Single Sign-On.
    • Select Cloud directory in the Directory Type and SAML based in the Cloud directory type, and click Next.
    • If this is the first time you are configuring the SAML workflow, provide an IBMid to create and configure IBM Security Verify. Click here to create an IBMid if you do not have one. If you already have an IBM Security Verify tenant you will not see this option. 
    • Enter an arbitrary Identity Provider Name. Use the Assertion Consumer Service URL, Entity ID, and MaaS360 Login URL to configure the MaaS360 App within your Identity Provider by following the steps below.
  2. Register MaaS360 as an Application within your Identity Broker.
    • Entity Id: Place this in your Identity Provider's Entity ID field. Your provider may refer to this as 'Entity ID', 'Identifier,' 'Audience,' or similar alias.
    • Assertion Consumer Service URL: Place this in your Identity Provider's Consumer ID field. Your provider may refer to this as 'Assertion Consumer Service URL', 'Recipient,' 'Reply URL,' or similar alias. Place the URL in all applicable fields. 
    • MaaS360 Login URL: Place this in your Identity Provider's Login URL field. Your provider may list this as optional and refer to this as RelayState', 'Sign on URL,' or similar alias. Place the URL in all applicable fields. 
    • Your Identity Provider may list two additional options.
      • Set 'SAML initiator' to Service Provider.
      • Set 'SAML signature element' to Both.
    • Assign users and groups to use the new app based on your company's requirements.
    • Download a copy of the newly registered app's metadata file. Open this file using any text editor. Remove the SingleSignOnService with the location that contains 'saml2/soap/sso' within its URL. Upload the modified version to MaaS360 and click Save. 
  3. Save your MaaS360 Settings.
  4. Follow Adding a portal administrator account to add administrator accounts.
Troubleshooting
  • Review Application Settings in IBM Security Verify
    1. Open a new browser tab and log in using the IBMid you used when creating the IBM Security Verify tenant.
      https://acccountid-maas360.verify.ibm.com/ui/admin
    2. Go to Applications and confirm the MaaS360 Login Application was created.
  • Review Verify Authentication Report
    1. Open a new browser tab and log in using the IBMid you used when creating the IBM Security Verify tenant.
      https://acccountid-maas360.verify.ibm.com/ui/admin
    2. Go to Reports > Authentication Activity. The authentication request will show the IdP name that was configured in MaaS360.
  • Missing or Invalid mandatory parameters in the SAML response
    1. If a mandatory parameter is missing or invalid during device enrollment, the following message is displayed:
      The SAML token response is missing mandatory parameters or they are invalid. Please contact your IT administrator for further assistance. The parameters that are missing or invalid are domain, email.
    2. At the end of the error message, the mandatory values that are missing in the SAML response are displayed. The current mandatory parameters that are supported are emailaddress and domain. From your corporate identity provider, you can change these values in the SAML response. Mapping SAML attributes in a SAML response.
  • Review the Console or Network logs
    1. Using your available modern web browser validate the login to ensure SAML calls are used. If the configuration has been completed successfully, the SAML request will be sent between your IdP and  IBM Security Verify.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSYSXX","label":"IBM MaaS360"},"ARM Category":[{"code":"a8m3p000000hCH9AAM","label":"PLATFORM"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
09 December 2024

UID

ibm17167927

Page Feedback