Choosing the Right Authentication for Maximo Application Suite: A Guide for Administrators

IBM Maximo Application Suite is a powerful platform for asset management, and when deploying Maximo in your organization, security should always be a top priority. A key element of security is choosing the right authentication mechanism for your Maximo instance. Maximo supports several types of authentication, and the best choice depends on your organization’s needs, infrastructure, and security policies. In this blog, we will explore the types of authentication available in Maximo, their advantages and disadvantages, and helpful tips for administrators.

Types of Authentication in Maximo

Maximo offers multiple authentication methods that can be configured according to your enterprise's security model. The three supported authentication types in Maximo are:

1. Maximo Native or Local Authentication
2. LDAP (Lightweight Directory Access Protocol) Authentication
3. SAML (Security Assertion Markup Language) Authentication

Let's take a deep dive into each one.

Maximo Native or Local Authentication

Maximo Native Authentication is the default authentication method where user credentials are stored directly within Maximo’s database. When logging in, users provide their username and password directly to Maximo and the system validates them against the encrypted value in the Maximo database.

Advantages:

• Simplicity: It's easy to configure and doesn’t require integration with external systems.
• Control: Admins have complete control over user credentials and password policies at a system-by-system level.
• Minimal Setup: Ideal for small environments where the user base is limited.

Disadvantages:

• Limited Scalability: As the number of users grows, managing credentials within each Maximo becomes cumbersome.
• Redundancy: It introduces redundancy if other systems in the organization use LDAP or other authentication services.
• Security: Storing credentials in Maximo can be a security risk, especially for large-scale deployments where single sign-on (SSO) and multi-factor authentication support are be preferred.

Admin Tips:

• Configure strong password policies in Maximo to mitigate security risks.
• Periodically audit users to ensure that access is limited to those who need it.
• Demo, test, and QA users can easily be set up for one-off use cases.

LDAP Authentication

LDAP (Lightweight Directory Access Protocol) is a widely used authentication method that integrates Maximo with external directory services such as Microsoft Active Directory or Open LDAP. With LDAP, Maximo delegates user authentication to an external service rather than managing users locally. When logging in, users provide their username and password directly to Maximo, and the system validates against the external directory service.

Advantages:

• Centralized User Management: Users are stored and managed in a central directory service (like Active Directory), which makes it easier to maintain and scale.
• Single Sign-On (SSO): Supports SSO, reducing the number of credentials users need to remember.
• Improved Security: Reduces the risk of storing credentials within Maximo, as authentication occurs outside the application.

Disadvantages:

• Complexity: Configuring LDAP integration with Maximo can be more complex and may require expertise with directory services.
• Reliability: If the LDAP server goes down, users may be unable to authenticate, so redundancy in LDAP setup is critical.
• Network Access: Maximo must have access to the LDAP server. If Maximo is in the cloud, you must expose the LDAP server to the internet or enable connectivity via a VPN.
• Control: The Maximo administrator typically will not have access to create new users in the external directory, creating a dependency on another team.
• Multi-Factor: LDAP does not support multi-factor authentication.

Admin Tips:

• Make sure your LDAP directory is highly available to avoid authentication issues.
• Use LDAP filters to restrict access based on groups or roles for better security.
• LDAP connectivity allows the out-of-box LDAP synchronization processes to be used.
• Link to IBM Configuration guide: https://www.ibm.com/docs/en/masv-and-l/continuous-delivery?topic=methods-configuring-ldap-authentication

SAML Authentication

SAML (Security Assertion Markup Language) is an XML-based open standard for transferring identity data. SAML allows for federated authentication, meaning that Maximo can delegate authentication to a third-party identity provider (IdP), such as Okta or Azure Active Directory. Once authenticated, the IdP sends a signed SAML assertion to Maximo, which grants the user access. When logging in, users are redirected to the IdP to authenticate, and once authenticated, they are directed back to Maximo as an authenticated user.

Advantages:

• Single Sign-On (SSO): SAML enables SSO, allowing users to access Maximo along with other enterprise applications with a single set of credentials.
• Federated Authentication: Allows Maximo to integrate with enterprise-level identity providers for a seamless authentication experience across multiple systems.
• Enhanced Security: Authentication is delegated to an IdP, which can implement stronger, centralized security measures like multi-factor authentication (MFA).
• Network Access: Maximo does not require direct access to the IdP like LDAP requires.

Disadvantages:

• Complex Configuration: SAML setup requires configuring both Maximo and the IdP, which can be challenging for administrators who are not familiar with SSO protocols.
• Dependency on IdP: If the IdP is unavailable, users may not be able to log in to Maximo.
• Third-Party Support: Support is growing for SAML but not all party applications support SAML.
• Control: The Maximo administrator typically will not have access to create new users in the IdP, creating a dependency on another team.

Admin Tips:

• Automatic redirects can cause a seamless user experience but also can be difficult to troubleshoot. A browser extension like SAML-tracer can help provide clarity.
• Set up a fallback authentication method in case the IdP is down. This can mean giving a select few admins access to authenticate with Local and SAML in MAS.
• Link to IBM Configuration guide: https://www.ibm.com/docs/en/masv-and-l/continuous-delivery?topic=methods-configuring-saml-authentication

Which Authentication to Choose?

Selecting the right authentication method depends on your organization’s needs and infrastructure. Here are a few guidelines to help you choose:

• Native/Local authentication is the default authentication and will get you the quickest time to value. This works especially well for small teams and demo environments.
• LDAP is a widely accepted standard and is supported by most IT teams and party products. On-premises environments probably have network access required, but cloud implementations typically require a VPN which introduces risk, an extra dependency, and potentially cost.
• SAML is the only authentication that supports multi-factor authentication. It is also a widely used standard and accepted as the most secure authentication method by most IT teams.

Maximo admins should always prioritize secure and efficient user management practices. When choosing the authentication method, be sure to plan for scalability, security, and ease of maintenance. By carefully selecting the appropriate authentication method and properly configuring it, you can ensure a secure and seamless user experience for all Maximo users.

Technical Tips for Maximo Application Suite

Multiple Authentication Sources

MAS allows administrators to mix and match authentication sources at a user-by-user level. First, you must configure the authentication sources, and then you can enable or disable which authentication method each user can use when creating or editing the user record.

‍

Default Login Behavior

MAS allows a default login behavior to be selected. This configuration is accessed in the User application in MAS on the Authentication tab. From here, you can control the authentication method that is available on the top of the login screen. If you are using SAML, you can also have the users routed to the default identity provider to authentication rather than the suite login page. If you do configure the seamless login, be sure to note the dedicated routes for any other authentication methods you might want to use. This will be key if you ever need to use a non-SAML authentication method.

Example Local Dedicated Route: https://auth.demo.maximo.app/idplogin/loginpage?idp=local
Link to IBM Documentation: https://www.ibm.com/docs/en/masv-and-l/continuous-delivery?topic=authentication-streamlined-login

‍

Extend SAML Timeouts

When using SAML in MAS, you might want to extend your http session timeout and ltpa expiration. Putting together two IBM articles has proven to be a recipe for success.

Addthese to your user interface server bundle additional properties:
‍<httpSession cookieName="JSESSIONIDUI" cookieSecure="true"
invalidateOnUnauthorizedSessionRequestException="true" invalidationTimeout="12h"
cookieSameSite="Lax"/>
<ltpa expiration="480" />

Link to IBM Documentation:

https://www.ibm.com/support/pages/node/7116228
https://www.ibm.com/support/pages/updating-ltpa-timeout-manage

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍