SAML 2.0

BigFix supports SAML 2.0. SAML authentication is an application login mechanism that uses a configured Identity Provider (IdP) to authenticate users.

While SAML authentication support is a feature of the BigFix platform, its configuration is implemented through the WebUI. The WebUI must be enabled in your deployment to take advantage of SAML. You can use the WebUI without setting up SAML, and use SAML without using the WebUI applications.

To activate SAML authentication without enabling the full set of WebUI components, start the WebUI in SAML-Only mode.

Enabling the WebUI in SAML-Only Mode

Starting the WebUI in SAML-Only mode allows you minimize resource consumption by activating the SAML authentication without enabling the full set of WebUI applications. In SAML-Only mode only those processes that are required to enable SAML authentication for the BigFix WebUI, the BigFix Web Reports, and the BigFix Console are created. All the other WebUI functions, other than the SAML Administration page, are unavailable.

Note: To use SAML with the full compliment of WebUI applications and functions do not use SAML-Only mode. Instead, use the standard enablement procedures explained in step 3 of the sequence listed below.

To start the WebUI in SAML-Only mode, use the computer setting _WebUIAppEnv_SAML_ONLY and the SAML Administration page. This is the procedure to follow, as BigFix Master Operator, to enable the WebUI in SAML-Only mode:

  1. Open the BigFix Console, select the All Contents domain and then Computers. Click your WebUI server name and select Edit Computer Settings.
  2. If not yet listed, add the computer setting _WebUIAppEnv_SAML_ONLY to the Settings list and set its value to 1.
    1. From Edit Settings, click Add to open the Add Custom Setting dialog.
    2. In the Setting Name field type: _WebUIAppEnv_SAML_ONLY
    3. In the Setting Value field type: 1
    4. Click OK.
    Note: If the setting _WebUIAppEnv_SAML_ONLY is already present but set to 0 (disabled), change its value to 1.
  3. If not yet enabled, enable the WebUI as described in the Installation Procedure. If you already enabled the WebUI, restart the WebUI service to activate the changes.
  4. For SAML to work correctly when you are installing the WebUI on a separate remote server, you must set the _WebUI_AppServer_Hostname key of the BigFix server computer to the hostname of the computer where the WebUI is installed.
  5. Log in to the WebUI. Type your WebUI URL into a browser window to display the /login page. Once your credentials are authenticated, the SAML Administration page (/administrator) displays.
  6. On the SAML Administration page, enter your SAML configuration settings, and click Enable.
    Note: To enable SAML authentication for Web Reports, Web Reports must be enabled for SSL. (This is required whether WebUI is in standard or SAML-Only mode.)
  7. Restart the BES Root Server, the Web Reports server, and the WebUI service to complete the process. SAML authentication is now enabled in SAML-Only mode for Web Reports, BigFix Console and WebUI.

After installing the WebUI, if you only want to switch from the full-WebUI to the SAML-Only mode, set the _WebUIAppEnv_SAML_ONLY setting to 1, and then restart the BES Root Server and the WebUI service to make the change operational.

When either _WebUiAppEnv_SAML_ONLY is not present, or it is set to 0, SAML-Only mode is not enabled.

For more information about the available settings affecting the WebUI configuration, see WebUI Server Settings for instructions.


  • In SAML-Only mode, appending /login to your WebUI URL displays the standard WebUI login form.
  • Logging in to the WebUI (using either SAML or the /login page) redirects users to the SAML Administration page. On this page Master Operators can configure SAML settings. Non Master Operators will see the “403 (Forbidden)" message, and will not be able to view or edit the SAML configuration.
  • If a user attempts to manually access the / URL after logging in, they will see a blank WebUI dashboard. Only the Home and Log Out controls will be active. Logging out redirects the user to the Reauthenticate page, regardless of the method they used to log in. All other navigable WebUI URLs (except / and the SAML Administration page) return an "Access Forbidden" message.