Troubleshooting
Problem
After upgrading to Maximo Application Suite 8.11, SAML users can no longer login.
Symptom
When logging in as a SAML user, this error is received:
Reviewing the coreidp pod log files, error messages such as these may be seen:
ibm.mas.internal.auth.samlresolver.SamlCredentialResolver A AIUEV2151A: Starting V3 SAML validation validation for the user id maxadmin
ibm.mas.internal.auth.samlresolver.SamlCredentialResolver W AIUSC0001W: SAML user maxadmin not found in MAS database
ibm.mas.internal.auth.samlresolver.SamlCredentialResolver A AIUEV2151A: Starting V2 SAML validation validation for the user id maxadmin
ibm.mas.internal.auth.samlresolver.SamlCredentialResolver E AIUSC0001E: SEVERE: User: maxadmin is not a SAML user
Cause
During the Maximo Application Suite 8.11 upgrade, a database migration conflict can occur if MAS is configured to use SAML authentication and the environment contains any user whose userid is not identical to their username. To remedy this, an administrator is required to create a ConfigMap to migrate the data by using either their SAML username or SAML userid. Review this document for further detail: Maximo Application Suite cannot be upgraded during data migration
If this data migration is performed incorrectly and the wrong value is mapped, SAML users will no longer be able to login.
Diagnosing The Problem
During the data migration, a datamodelmigration pod is created within the Maximo Application Suite core namespace. This pod's logs can be reviewed to determine all users who have been affected by the migration:
INFO:__main__:<start> Upgrading datamodel 8.11
INFO:mas.utils.datamodelMigration:Updating user: maxadmin from v2 to v3
INFO:mas.utils.datamodelMigration:{'User_id': 'maxadmin', 'updated': True}
Resolving The Problem
Once the affected users have been confirmed, you can login as an administrative superuser or any local administrator to modify the user record. You should modify the SAML ID value for the affected users to ensure it matches what is used with your SAML configuration:
Once this has been modified to the value matching your SAML configuration, the user should now be able to login.
If there are a large number of users impacted by this issue, you may want to consider using the Import users functionality or the API to perform a bulk update. You could also update the Users collection on the MongoDB database directly, however we do not generally recommend this route for modifying MAS user data.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSRHPA","label":"IBM Maximo Application Suite"},"ARM Category":[{"code":"a8m3p000000F81QAAS","label":"Maximo Application Suite-\u003ESecurity"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
18 April 2024
UID
ibm17148310