Authentication Options for Maximo
Whether you are tasked with protecting customer services, corporate and customer data, or day-to-day operations, ensuring that employees in your organization have the appropriate access level is a large part of your overall company security strategy.
This blog post comes from one of Interloc's Senior Technical Consultants, Jeremy Rempel. In it, Jeremy discusses the various options that are available for Maximo authentication.
When it comes to authenticating access, you have four different options. Read on to find out which option makes the most sense for you and your business.
Maximo internal authentication is the default option and has all users' information – such as logins and passwords – stored in the database. When a user accesses Maximo, they will be presented with a login form. If a user forgets their password, a Maximo systen administrator will need to reset it. New users and their authorization are manually managed by a Maximo system administrator.
Active Directory Authentication
Using this option, Maximo still presents the same login form as in the Maximo Authentication option; however, when users type their username, password they will be delegated to the Application Server and authenticated against an Active Directory Server. WebSphere allows authentication against multiple directories. For example, if you have different company divisions or external contractors logging in, you may have multiple Active Directory installs. Since network passwords are being sent in cleartext over the network, TLS/HTTPS is recommended.
Users and groups can be either manually maintained by a Maximo system administrator or automatically synchronized using the VMMSYNC or LDAPSYNC cron tasks.
Single Sign On (SSO)
A third option is Kerberos SSO. When a user is logged into the Intranet and accesses Maximo they can skip the login screen and login to Maximo directly using their credentials they logged into their desktop as. SSO is supported all major browsers (Internet Explorer, Chrome, Firefox). SSO is more secure than the form based login approaches above because no passwords are being sent over the network.
Like Active Directory Authentication, the users and groups can be maintained by a Maximo system administrator or synchronized using VMMSYNC or LDAPSYNC cron tasks.
Trust Association Interceptor (TAI)
Trust Association Interceptors are a WebSphere specific option that allows writing a custom Java class to authenticate users. TAI can be used for complex authentication scenarios, such as when a user is authenticated by a 3rd party (ie., a portal) and doesn’t want to login again to access Maximo. Since the TAI involves custom Java code, virtually any scenario can be supported.
And there you have it. Four ways to keep your data safe and your business secure. Questions? Feel free to contact Interloc.