Step 1: Configuring single sign-on settings in BigFix Inventory

As the first step, configure single sign-on settings in BigFix Inventory.

Before you begin

Gather necessary information
Before you start the configuration, gather the following information:
  • URL to the login page of the Identity Provider. It is the URL to which an unauthenticated request is redirected. After the request is authenticated by the Identity Provider, the user is redirected to BigFix Inventory.

    For example: https://ADFS_host_name/adfs/ls/IdPInitiatedSignOn.aspx?LoginToRP=https://BFI_host_name:9081/ibm/saml20/defaultSP.

  • URL of the Trusted Issuer. It is the URL to the certificate issuer of the Identity Provider that is needed to establish a trust relationship.

    For example, http://ADFS_host_name/adfs/services/trust.

  • Public certificate of the Identity Provider in the key_name.cer format.
Enable SSL
Ensure that SSL is enabled in BigFix Inventory and in the Identity Provider.
Backup files
Before you start configuring single sign-on, back up the following files:
  • server.xml
    • Linux bfi_install_dir/wlp/usr/servers/server1
    • Windows bfi_install_dir\wlp\usr\servers\server1
  • web.xml
    • Linux bfi_install_dir/wlp/usr/servers/server1/apps/tema.war/WEB-INF
    • Windows bfi_install_dir\wlp\usr\servers\server1\apps\tema.war\WEB-INF
Note: If you set up the session timeout for Single Sign-On, remember that it should be longer than the session timeout that is set up for BigFix Inventory. Otherwise, change the settings in BigFix Inventory. For more information, see: Setting session timeout.
Create users
Create BigFix Inventory users who will use the single sign-on. During the creation of the users, select Single Sign-on as the authentication method. Ensure that all user names are fully-qualified names that contain the full domain name, for example: user@domain.example. Also, ensure that at least one user is an Administrator.

Linux If the BigFix Inventory server is installed on Linux, and users in the Identity Provider use the camel-case naming convention, create users following the same convention in BigFix Inventory. Otherwise, the users are not be able to generate audit snapshots.

Note: User token is not available after a single sign-on user is created. If you need the token, for example to run REST API calls, ask the BigFix Inventory administrator to provide it for you.

Procedure

  1. Log in to BigFix Inventory, and click Management > Single Sign-On Settings.
  2. Select SAML as the single sign-on method.

    The Instance ID filed is automatically filled with the defaultSP value. It is the identifier of the BigFix Inventory service. Together with the BigFix Inventory URL, it forms the overall Service Provider ID: https://BFI_host_name:BFI_port/ibm/saml20/defaultSP.

    Based on this value, the SAML Assertion Consumer Service URL is built: https://BFI_host_name:BFI_port/ibm/saml20/defaultSP/acs. The URL should be used for the configuration of the Identity Provider.

  3. Specify the URL to the login page of the Identity Provider that you will use to single sign-on to BigFix Inventory.
    For example:
    https://ADFS_host_name/adfs/ls/IdPInitiatedSignOn.aspx?LoginToRP=https://BFI_host_name:9081/ibm/saml20/defaultSP
    Important: Ensure that the URL that you specify is correct. The address is not validated. If you make a typo in the URL, you might need to manually revert the SSO configuration.
  4. Provide the public certificate of the Identity Provider. Click Browse to locate the key_name.cer certificate that you created.
  5. Provide the URL of the certificate issuer of the Identity Provider. It is the issuer name of the Identity Provider as it appears in the SAML assertion.
    For example:
    http://ADFS_host_name/adfs/services/trust
    Important: Ensure that the URL that you specify is correct. The address is not validated. If you make a typo in the URL, you might need to manually revert the SSO configuration.
  6. Click Save.
  7. Optional: To use a custom certificate for the SSO setup, see: Using a CA-signed (custom) certificate for SSO based on SAML. Otherwise, continue to the next step.
  8. Click the Download Service Provider Metadata link, and save the spMetadata.xml file.
    Note: When the SAML single sign-on entry is created, only the Delete button, and the Download SP Metadata link are enabled. If the download link is not displayed, restart the BigFix Inventory server.

What to do next

Based on the spMetadata.xml file, configure Identity Provider for single sign-on.