Single Sign-On Settings
About this task
Authenticating users with Single Sign-On
BigFix Compliance supports
Single Sign-On (SSO) for user authentication through:
- Security Assertion Markup Language (SAML)
- Lightweight Third-Party Authentication (LTPA)
To open Single Sign-On Settings page, navigate to settings gear icon and click Single Sign-On Settings from the list.
Configuring SAML Single Sign-On
About this task
Follow the steps below to set up SAML Single Sign-On for your system with Active Directory Federation Services (ADFS).
Before you begin
- Get the following information from the identity provider (IdP):
- Login URL
- Token-Signing Certificate
- Trusted Issuer
- Backup on the following .xml files:
- <Install Dir>\wlp\usr\servers\server1\server.xml
- <Install Dir>\wlp\usr\servers\server1\app\tema.war\web.xml
- When enabling Single Sign-On in Server Settings, you must have at least one
Single Sign-On user created. Before enabling Single Sign-On, you need to do
the following:
- Create Single Sign-On users from Management > Users. The operator must create at least one user with Administrators role and Single Sign-On as Authentication Method.
- Consider changing the authentication method of existing users to Single Sign-On.
- Create User Provisioning rules as necessary (optional)
Note: The user name format for user provisioning must be a User-Principal-Name
(or a SAM-Account-Name, without domain). User provisioning on Single Sign-On is
associated with what is indicated on the directory server.
Procedure
- Login to BigFix Compliance as an administrator (with FQDN URL).
-
Create a SSO user with administrator rights in the BigFix Compliance
server.
-
Follow these steps if you plan to use user provisioning.
- Add your directory server by creating an entry in Directory Servers section). . (See
- Configure the user provisioning rule in User Provisioning section) . When Single Sign-On is enabled, the authentication method of all the provisioned users is Single Sign-On. (See
-
Create a SAML configuration entry.
-
Download the metadata of the service provider and configure the service
provider details on the identity provider. Download the service provider
metadata file, spMetadata.xml from the link.
After the service is restarted, BigFix Compliance login page will redirect to the login page of the identity provider. Enter your credentials. Once authentication is successful, it will be redirected to BigFix Compliance landing page (Security Configuration Overview page).
What to do next
Using SCA HTTPS Certificate for SAML
By default SCA is creating a dedicated, self signed certificate in separate keystore defined in sever.xml as "SPKeyStore". There is possibility to use the certificate stored in "defaultKeyStore". To adjust the setup for this purpose, follow these steps:
- Navigate to the path \SCA\wlp\usr\servers\server1\server.xml.
- Remove only
keyAlias="samlsp
andkeyStoreRef="SPKeyStore
from server.xml. - Open BigFix Compliance in web
browser.
- Get the Information about the certificate.
- Click on the Not secure label on the URL to display the window.
- Select the Certificate is not valid option above.
- Click on the Details tab.
- Export the certificate in (base64 encoded) format.
- Add the exported certificate to the Active Directory Federation
Certificate (ADFS).
- Navigate to ADFS management.
- Proceed to .
- Right-click on the available relying party and select Properties.
- Navigate to the encryption option.
- Remove the existing certificate.
- Click on Browse, and in the drop down menu, select All Files.
- Upload the downloaded certificate.
- Restart the BigFix Compliance server.
Configuring LTPA Single Sign-On for your system
About this task
Before you begin
Note: After the
Single Sign-On is enabled, only Single Sign-On users can log in to BigFix
Compliance Analytics. To avoid log-in access issues, all existing users, except
the local Administrator user, should convert to Single Sign-On
users.
When enabling Single Sign-On in Server Settings, you must have
existing Single Sign-On users. Before enabling Single Sign-On, you need to do
the following:
- Identify ISAM server, Directory Server and Compliance Server
- Backup on the following .xml files:
- <Install Dir>/wlp/usr/servers/server1/server.xml
- <Install Dir>/wlp/usr/servers/server1/app/tema.war/web.xml
- Create Single Sign-On users from . The operator must create at least one single sign-on user with Administrators role.
- Create User Provisioning rules.
Note: The user name format for user provisioning must be a
User-Principal-Name (or a SAM-Account-Name, without domain). User provisioning
on single sign-on is associated with what is indicated on the directory server.
Procedure
- Login to BigFix Compliance and go to .
- Create a Directory Server entry for single sign-on authentication. (See Directory Servers section for how to add a Directory Server).
-
Go to
to create an Single Sign-On user.
- Go to Create User. . Click
- Enter a user name that is registered in the directory server.
- Check Administrators role (at least one single sign-on user needs to have Administrators role).
- Specify Computer Groups, as necessary. (not applicable for administrator).
- Select Single Sign-On as the Authentication Method.
- Enter the email address and contact information (optional).
- Click Create.
-
Create an LTPA configuration entry.
- Go to .
- Select LTPA as the Single Sign-On method.
- Select the directory server that was created in Step 2.
- If the directory server is configured with SSL option, click Browse and upload the directory server’s certificate.
- Click Save.
- Restart Compliance service.
-
Download LTPA Keys from Compliance.
- Login back to Single Sign-On Settings page.
- Click Download LPTA Keys link and save ltpa.keys.
- Configure reverse proxy / virtual junction on ISAM with Compliance’s server certificate and LTPA keys (See https://help.hcltechsw.com/bigfix/10.0/inventory/Inventory/security/t_configuring_sso_isam.html for details).
-
Enable Single Sign-On in Compliance.
- Login back to Single Sign-On Settings page.
- Click Enable.
- Restart Compliance service.
- Access Compliance by ISAM’s virtual host/url (such as https://<virtual_host>/sca)