Setting the MaaS360 identity provider and user identifier

MaaS360® synchronizes its users' information with Verify to authenticate and authorize users to access native-mobile applications on their devices. The users' information that MaaS360 sends to Verify comes from its own local user registry, or from another identity provider's external user registry. Assign the MaaS360 default identity provider and the unique user identifier to properly provision and map the MaaS360 users in Verify. The user mapping ensures that the MaaS360 users can sign in to their application on their managed devices and in Verify as the same user.

Before you begin

  • You must have administrative permission to complete this task.
  • Log in to the IBM® Security Verify administration console as an Administrator.

About this task

When you integrate Verify with MaaS360, you must configure the following settings:
Default Identity Provider

Assign the MaaS360 identity provider in Verify to map the realm value of the MaaS360 identity provider with its corresponding identity provider in Verify. The realm value indicates the user registry where the users information is derived.

The Default Identity Provider option lists the configured Cloud Directory, SAML Enterprise, and MaaS360 Cloud Extender identity providers. For first-time use, only the Cloud Directory is configured by default.
Note: Initially, the Cloud Directory is empty except for the user who is designated as the administrator. You must onboard users to populate the Cloud Directory.
If you want to use a SAML Enterprise identity provider to represent the MaaS360 external user registry, you must first complete Setting the MaaS360 identity provider and user identifier. For example, MaaS360 can use Microsoft Azure Active Directory (Azure AD) as its cloud-based directory. To use Azure AD as the default identity provider, you must add it to the Default Identity Provider selection.
Unique User Identifier

Assign the unique user identifier to help identify MaaS360 users who access Verify. The identifier is used as a reference together with the realm value to check for users in the Verify cloud directory with these data. If no match is found, the identities of the MaaS360 users are federated in the Verify cloud directory. A user profile is created in the cloud directory when these users signs in for the first time to Verify.

The Unique User Identifier option consists of:
  • The standard user attributes from Verify, which includes the built-in attributes that are defined in Directory > Attributes.
  • The MaaS360 osUserName@domain, which is a combination of the osUserName and domain attribute that are used in MaaS360.
Primary Identity Provider
The identity provider that contains the shadow accounts for the linked identity providers.
Note: A primary identity provider cannot have identity linking enable.

Procedure

  1. Select Authentication > Identity providers.
  2. Select Global Settings.
  3. Select the primary identity provider from the menu.
  4. Select the default identity provider from Default Identity Provider.

    Choose Cloud Directory or MaaS360 Cloud Extender to represent the MaaS360 local user registry.

    Alternatively, choose any of the configured SAML Enterprise identity providers that correspond to the external user registry that MaaS360 uses.

  5. Select the preferred identifier from Unique User Identifier.

    The following table defines the mapping between the Verify and MaaS360 user attributes.

    Note: If you configured an on prem Active Directory sync to Azure AD and want to single sign-on to the Microsoft 365 application through MaaS360 passthrough authentication, you must create a custom attribute. The Active Directory base64-encoded objectGUID attribute is the ImmutableID that needs to be the user Identifier in Verify. Verify does not support the base64 encoded objectGUID attribute by default. You must create a custom attribute of the type Identity provider credential for example, O365SourceAnchor. See Managing attributes. Use the custom attribute that you created to map to the Verify UserID attribute and if applicable, to the just-in-time provisioning mapping.
    Table 1. User attribute mapping
    Verify user attributes MaaS360 user attributes
    preferred_username osUserName
    userID osUserName
    given_name userFirstName
    family_name userLastName
    name userFullName
    displayName userFullName
    email userEmail
    emailAddress userEmail
    mobile_number mobileNumber
    employee_id empId
    upn upn
    department dept
    job_title job
    osUserName@domain osUserName@domain
  6. Optional: If your default identity provider is not Cloud Directory, enable just-in-time provisioning.
    For Just-in time provisioning, these mappings cannot be overwritten.
    MaaS360 attribute Verify attribute
    userLastName family_name
    mobileNumber mobile_number
    userFullName name
    userFirstName given_name
    userEmail email
    userFullName displayName
  7. Specify how the attributes are synchronized from MaaS360 to Verify.
    Always
    Map the attribute at each login.
    On user creation only
    Map the attribute once at account creation.
    Disabled
    Never map the attribute.
  8. Select Save.

Results

When users access an application on their MaaS360 managed devices and authenticate with Verify, the users' identities are federated in Verify. You can view the federated users information in the Directory > Users & groups > Users page. These users have the same Realm value that is assigned to your selected MaaS360 identity provider.