Security Assertion Markup Language (SAML) and application security

The application server can now be configured to integrate Security Assertion Markup Language (SAML). SAML is an authentication protocol that authenticates your session with an Identity Provider (IdP) rather than directly with the system. By using SAML, you can create a single login ID for multiple systems. You can also sign in without a direct Lightweight Directory Access Protocol (LDAP) connection.

When you use SAML, a token is created and verified by the IdP and then passed to IBM® Maximo® Asset Management. This authentication mechanism is supported in WebSphere® Application Server by a Trust Association Interceptor (TAI). When authentication is required, TAI redirects the request from the system to the IdP. Before Maximo Asset Management can use SAML, you must configure TAI and WebSphere Application Server. For more information on how SAML, WebSphere, and TAI interact, see the IBM WebSphere Developer Technical Journal.

To use SAML, you must configure your IdP to send a NameID claim to the system that matches the login ID of a user in the MAXUSER table. Login IDs are case-sensitive so the NameID claim and the login ID must use the same case. Administrators can also send group claims to control access to the system. Group claims validate users by using the MAXIMOUSERS group rather than by using the list of all trusted users. The SAML assertion must be configured to send group claims before you can use this functionality.