Oxmaint is a comprehensive maintenance management software that gives industrial teams mobile work orders, preventive maintenance scheduling, asset tracking, spare parts inventory, and AI condition monitoring — all with enterprise-grade SAP integration built in. The challenge for any SAP-connected maintenance platform is simple: how do you link a mobile-first tool like Oxmaint to your SAP environment without opening the door to credential theft or compliance failures? Oxmaint solves this with two modern identity standards working together — SAML 2.0 for single sign-on and OAuth 2.1 for API authorization. Together, they create a zero-trust bridge where no passwords travel, every token expires, and every SAP data exchange is cryptographically verified. Start your free Oxmaint trial with SAML SSO and OAuth 2.1 ready on day one. Or book a demo to see Oxmaint's secure SAP integration running live with your environment.
Enterprise Security Guide
SAML & OAuth 2.1: How Oxmaint Maintenance Software Secures SAP Integration
Technical Deep-Dive9 min readCISO & IT Architecture
0
Passwords traveling between SAP and Oxmaint maintenance software with SAML SSO active
<15 min
Oxmaint OAuth 2.1 token lifetime — limiting exposure if a token is intercepted
60%
Reduction in credential-based attack surface when Oxmaint handles SAP identity federation
SOC 2
Oxmaint meets enterprise compliance baselines out-of-the-box for SAP-integrated deployments
Why Maintenance Software Security Matters for SAP Integration
Oxmaint is built to be the mobile execution layer for SAP-run enterprises — technicians completing work orders on phones, planners scheduling PMs from tablets, supervisors tracking costs in real time, all while SAP remains the system of record. But every connection between a maintenance platform and SAP is also a potential attack vector. Most maintenance software vendors ignore this problem or leave it as a "professional services" add-on. Oxmaint treats identity security as a core feature. When your maintenance management software handles SAML and OAuth 2.1 correctly from day one, three common failure modes disappear.
01
Shared Service Accounts
In typical maintenance software integrations, a single SAP technical user authenticates everything. When that credential leaks, every work order, parts transaction, and cost posting is compromised. Oxmaint binds every SAP call to the individual technician, preserving full audit trail integrity.
02
Hardcoded API Keys
Long-lived secrets sitting in config files, environment variables, or worse — source repositories. Rotation requires restarts. Exposure in logs or git history is permanent. Oxmaint's OAuth 2.1 approach means no secrets ever sit in Oxmaint or SAP configuration files.
03
Dual Identity Stores
Technicians forced to maintain separate credentials for SAP and their maintenance platform. Password fatigue drives reuse, weak choices, shared sticky notes. Oxmaint's SAML SSO unifies identity — one login at your IdP grants access to both Oxmaint and SAP transactions.
04
No Token Scoping
Most maintenance software tools issue blanket API access. A compromised token meant to post a work order could just as easily delete equipment masters. Oxmaint's scope-limited tokens ensure every SAP call only has permission for the exact operation it needs.
Built Into Oxmaint
The only maintenance management software that ships with enterprise SAP security configured by default
While other tools treat identity federation as a custom project, Oxmaint delivers SAML SSO, OAuth 2.1, and short-lived tokens out-of-the-box — so your SAP integration is secure on day one, not six months in.
SAML 2.0
Identity Federation
OAuth 2.1
API Authorization
SAML vs OAuth 2.1: How Oxmaint Uses Both
A common confusion slows SAP integration projects: teams treat SAML and OAuth as interchangeable when they actually solve different problems. SAML answers "who is this human?" and governs browser-based single sign-on. OAuth 2.1 answers "what can this application access on the user's behalf?" and governs machine-to-machine API calls. Oxmaint runs both simultaneously — SAML when a technician logs into the maintenance software, OAuth 2.1 every time Oxmaint calls SAP on that technician's behalf.
SAML 2.0
How Oxmaint Handles Human Login
Answers
Who is the technician opening Oxmaint?
Transport
Signed XML assertions via browser HTTP POST
Where Used
Oxmaint web portal & mobile app login
Token Format
Signed assertion with user attributes & groups
Lifetime
Session-bound, typically 8–12 hours
Revocation
Session termination at corporate IdP
OAuth 2.1
How Oxmaint Calls SAP Securely
Answers
What can Oxmaint do in SAP right now?
Transport
JWT bearer tokens over TLS 1.3
Where Used
Oxmaint-to-SAP API calls for every transaction
Token Format
Signed JSON Web Token with narrow scopes
Lifetime
Short-lived, typically 5–15 minutes
Revocation
Automatic expiry + revocation endpoint
The Complete Oxmaint-to-SAP Authentication Flow
When a technician opens Oxmaint maintenance software on a mobile device, they authenticate once through your corporate identity provider and then execute dozens of SAP transactions throughout the shift — without a second login prompt, without passwords crossing the wire, and with every API call individually authorized. Here is what actually happens inside the Oxmaint platform during that flow, broken into five sequential stages.
Technician Opens Oxmaint
A maintenance technician launches the Oxmaint mobile app or web portal. Oxmaint detects the corporate email domain and redirects to your organization's SAML identity provider — Azure AD, Okta, Ping, or SAP IAS — without asking for a password directly.
SP-initiatedHTTP RedirectNo password at Oxmaint
IdP Authenticates the User
The identity provider enforces MFA, conditional access policies, and device posture checks that your security team already configured. On success, it issues a signed SAML assertion containing the technician's identity and group memberships — but never sends a password back to Oxmaint.
MFA enforcedSigned XMLGroup claims
Oxmaint Validates & Establishes Session
Oxmaint validates the SAML signature, checks audience and timestamps, maps the user to an internal maintenance role (technician, planner, supervisor), and establishes a session. The technician lands on the Oxmaint work order dashboard — still without seeing a second login.
Signature validatedRole mappedSession bound
Oxmaint Requests an OAuth 2.1 Token for SAP
When Oxmaint needs to pull an equipment master or post a work order completion to SAP, it requests a short-lived OAuth 2.1 access token from SAP's authorization server — scoped precisely to the specific SAP operation needed, bound to the technician's identity from the SAML session.
JWT bearerScope-limited5–15 min TTL
SAP Validates & Completes the Transaction
SAP verifies the JWT signature, checks scope against the requested operation, confirms token expiry, and executes the transaction. Every Oxmaint call is individually authorized. Every SAP response flows back over TLS. Every maintenance action is audit-logged against the original technician identity.
Scope-enforcedTLS 1.3Full audit trail
Oxmaint's Layered Security Architecture
No single mechanism should carry the full weight of enterprise maintenance software security. Oxmaint stacks five protection layers for every SAP integration, each assuming the layer beneath it could fail. This defense-in-depth model is why Oxmaint deployments survive the kinds of edge cases — compromised tokens, misconfigured firewall rules, expired certificates — that break simpler maintenance management tools.
L5
Audit & Anomaly Detection
Oxmaint logs every authentication event, token issuance, and SAP API call with user, timestamp, source IP, and outcome. Unusual patterns — geographic impossibilities, off-hours bulk data access — trigger automated review in the Oxmaint admin console.
L4
OAuth 2.1 Scope Enforcement
Oxmaint tokens carry only the scopes needed for the specific SAP operation — `workorder.write`, `equipment.read`, `parts.consume`. A token issued for posting completions cannot be replayed to delete equipment masters. Least privilege is enforced per call.
L3
Short-Lived Tokens & PKCE
Oxmaint access tokens expire in 5–15 minutes. Mobile maintenance flows use PKCE (Proof Key for Code Exchange) to prevent authorization code interception on shared devices. Refresh tokens rotate on every single use — no reuse, ever.
L2
SAML Assertion Signing
Every SAML response Oxmaint receives is cryptographically signed by your identity provider. Oxmaint validates the signature, audience, and timestamp on each login. Replay attacks fail on the first attempt — no captured assertion can ever be reused.
L1
mTLS Transport Encryption
Mutual TLS between Oxmaint and SAP endpoints — both sides present certificates. No passive interception on the wire. No man-in-the-middle attacks. Connection fails immediately if either certificate is invalid, expired, or untrusted.
Token Lifecycle: What Oxmaint Does in 15 Minutes
The single most important shift between legacy maintenance software integrations and Oxmaint's OAuth 2.1 approach is token lifetime. Where traditional API keys live for years, Oxmaint access tokens live for minutes. This compressed window is a feature, not a limitation — it dramatically reduces the blast radius of any compromise, making Oxmaint's SAP integration fundamentally safer than tools relying on static credentials.
A compromised Oxmaint OAuth 2.1 access token becomes useless within 15 minutes — even if an attacker captures it in transit or from a lost device, their window of abuse is measured in minutes, not the months-to-years typical of hardcoded API keys in legacy maintenance software.
Oxmaint's 7 Security Configurations: Set Right by Default
Most SAML and OAuth 2.1 failures in maintenance software deployments trace back to configuration decisions made early in the project. Oxmaint makes these seven decisions for you — set right by default during onboarding, not left for your IT team to research and choose. Get them right on day one and your entire SAP integration stays resilient.
SP-Initiated SAML Flow (Default)
Oxmaint starts the login, redirects to your IdP. Avoids IdP-initiated flow vulnerabilities where unsolicited assertions can be replayed against the maintenance platform.
Assertion Signing Enforced
Oxmaint requires signatures on the inner SAML assertion element — not just the outer response wrapper. Prevents XML wrapping attacks automatically.
Authorization Code + PKCE
For Oxmaint mobile app to SAP calls. Eliminates the deprecated implicit flow. PKCE prevents code interception on shared mobile devices used by field technicians.
Short Token Lifetimes
Oxmaint access tokens: 5–15 minutes. Refresh tokens: rotated on every use. Long-lived tokens are a compliance finding waiting to happen — Oxmaint refuses them.
Narrow Token Scoping
Oxmaint never issues blanket tokens to SAP. `workorder.read`, `workorder.write`, `equipment.read` — granular scopes per transaction prevent privilege escalation.
mTLS Between Oxmaint & SAP
Both Oxmaint and SAP present certificates to each other. Mutual authentication at the transport layer closes man-in-the-middle paths entirely — no exceptions.
Automated Key Rotation
Oxmaint publishes metadata with JWKS endpoints. Automated quarterly key rotation with overlap periods prevents service disruption during certificate changes.
Oxmaint vs Legacy Maintenance Software: Security Mistakes Avoided
| Common Mistake |
Why Legacy Tools Fail |
How Oxmaint Handles It |
| Long-lived bearer tokens |
A single leaked token grants months of unauthorized SAP access before rotation |
Oxmaint issues 5–15 minute access tokens with automatic refresh rotation |
| Skipping PKCE on mobile |
Authorization codes intercepted by malicious apps on shared field devices |
Oxmaint requires PKCE for all mobile maintenance authentication flows |
| Over-broad OAuth scopes |
A token meant to read assets can be replayed to delete them in SAP |
Oxmaint enforces operation-specific scopes at both Oxmaint and SAP |
| Ignoring assertion replay |
Captured SAML assertions reused to impersonate maintenance users |
Oxmaint enforces one-time-use assertions with strict timestamp windows |
| Shared service accounts |
No audit trail of which technician performed which SAP transaction |
Oxmaint binds every token to individual user identity throughout the flow |
| Certificate expiry surprises |
Production integration breaks when signing certs silently expire |
Oxmaint monitors certs automatically with 90-day advance alerts |
Compliance: How Oxmaint Maps to Enterprise Frameworks
SAML and OAuth 2.1 inside Oxmaint are not just security best practice — they directly map to specific control requirements in the compliance frameworks governing industrial maintenance operations. Here is how the maintenance software aligns to what your auditors will ask about.
SOC 2 Type II
CC6.1 — Logical Access
Oxmaint's federated SAML identity eliminates shared credentials; OAuth 2.1 scope control enforces least privilege at every SAP API call.
ISO 27001
A.9.4.2 — Secure log-on
Oxmaint SAML assertions enforce MFA at your IdP; no passwords traverse the network between the maintenance software and SAP.
NIST 800-53
IA-2, IA-5, AC-3
Oxmaint's identity federation, cryptographic authentication, and token-based access control satisfy multiple NIST IA families.
GDPR Article 32
Security of processing
Oxmaint's mTLS transport, signed assertions, and short-lived tokens provide technical measures for personal data in SAP flows.
Before Oxmaint vs After Oxmaint: Security Posture
Before — Legacy Maintenance Software
Hardcoded API keys in integration config files
Shared SAP technical user for all transactions
No user-level audit trail reaching into SAP
Keys live until manually rotated — often months
Separate credentials cause password fatigue
Manual deprovisioning across multiple systems
After — Oxmaint Maintenance Software
Zero secrets stored in Oxmaint or SAP configs
Every SAP transaction tied to individual user
Full audit trail end-to-end across both systems
Oxmaint tokens expire in 5–15 minutes automatically
Single sign-on with MFA enforced at your IdP
One IdP deprovisioning revokes everything instantly
Ready to Deploy
See Oxmaint's maintenance software and SAP integration running in under 30 minutes
Our integration team walks through your IdP (Azure AD, Okta, Ping, SAP IAS), your SAP environment, and the exact Oxmaint workflow for your maintenance operations — no generic slideware, just your actual setup.
Frequently Asked Questions
Does Oxmaint maintenance software require changes to our SAP landscape?
No SAP configuration changes are required beyond standard OAuth client registration. Oxmaint's certified connector handles the full protocol bridge between your identity provider, SAP's authorization server, and the Oxmaint platform — so your SAP team does not need to learn new systems.
Can Oxmaint use our existing identity provider or do we need a new one?
How does Oxmaint handle offline authentication for field technicians?
Oxmaint caches authenticated sessions with encrypted local storage, allowing full maintenance execution without connectivity. Queued SAP transactions sync when the device returns online, using fresh OAuth tokens issued at reconnection — no data loss.
What happens when a user is terminated in our identity provider?
Session termination at your IdP immediately blocks new Oxmaint logins. Any active OAuth tokens expire within 15 minutes maximum. Refresh token rotation fails on the next attempt — complete deprovisioning across Oxmaint and SAP without touching either system directly.
Does Oxmaint support certificate-based authentication on top of SAML and OAuth?
How long does Oxmaint SAP security setup take during onboarding?
Most Oxmaint deployments complete identity federation configuration within the first week of onboarding. The full SAP connector with OAuth 2.1 token flows goes live by week two — well inside the standard 4–8 week Oxmaint deployment window.
Oxmaint: Maintenance Management Software That Makes SAP Integration Secure
Mobile work orders, PM scheduling, asset management, inventory, AI condition monitoring — with SAML 2.0 single sign-on, OAuth 2.1 with PKCE, mTLS transport, short-lived tokens, scope enforcement, and full audit trails all configured and ready. Not a consulting engagement. Your maintenance software.
