Single Sign-On (SSO) settings

Configuring SAML Single Sign-On (SSO)

Follow the below steps to set up the SAML SSO for your system with Active Directory Federation Services (ADFS).

Before you begin Get the following information from the identity provider (IdP):

Login URL
Token-Signing Certificate
Trusted Issuer

Back up on the following .xml files:
- <Install Dir>\wlp\usr\servers\server1\server.xml
- <Install Dir>\wlp\usr\servers\server1\app\tema.war\web.xml
When enabling the SSO in server settings, you must have at least one SSO user created. Before enabling SSO, perform the following steps:
- Create a SSO user from Management > Users. The operator must create at least one user with administrators role and SSO as an authentication method.
- Consider changing the authentication method of existing users to the SSO.
- Create user provisioning rules as necessary.

Note: The username format for user provisioning must be according to the User-Principal-Name (or a SAM-Account-Name, without domain). User provisioning on SSO is associated with what is indicated on the directory server.

Perform the following steps to configure the SSO:

Login to BigFix Compliance as an administrator (with FQDN URL).
Create a SSO user with administrator rights in the BigFix Compliance server.
1. Go to Management > > Users. Click Create User.
2. Enter the username. The format of the username is related to the Name ID format of the claim rules on relaying party trust on ADFS. Ensure that the username format follows the LDAP attribute format.User-Principal-Name
  The username format is <user>@<domain name>.
  Example: user01@bigfix.local
  SAM-Account-Name
  The username format is <user> without domain part.
  Example: user01
  E-Mail Address
  The username is the email address in the profile of the user.
  Example: user01@bigfix.local
3. Check administrators role.
  Note: At least one SSO user must have the administrators role.
4. Specify Computer Groups as necessary (not applicable for the administrator).
5. Select Single Sign-On as the authentication method.
6. Enter the email address and contact information.
7. Click Create.
Follow these steps to use user provisioning:
1. Add your directory server by creating an entry in Management > Directory Servers. Refer to Directory Servers.
2. Configure the user provisioning rule in Management > User Provisioning. When the SSO is enabled, the authentication method of all the provisioned users is SSO. Refer to User Provisioning.
Create a SAML configuration entry.
1. Click New.
2. Select SAML as the SSO method.
3. Enter the values for the following field(s).
  - Login Page URL: Enter the login page URL.
    - ADFS:https://<ADFS_hostname>/adfs/ls/IdPInitiatedSignOn.aspx?LoginToRP=https://<SCA_hostname>:9081/ibm/saml20/defaultSP
    - ENTRA ID: https://launcher.myapps.microsoft.com/api/signin/<APPICATION ID / GUID>?tenantId=<TENANT ID / GUID>
  - Identity Provider Certificate: Browse to select the identity provider certificate. This certificate refers to the Token-Signing certificate exported from ADFS in DER/Base64 encoded X.509.
  - Trusted Issuer: Enter the trusted issuer.
    - ADFS: http://<ADFS_hostname>/adfs/services/trust
    - ENTRA ID: https://sts.windows.net/<TENANT ID / GUID>/
4. Click Save.
5. Restart BigFix Compliance service.

Using SCA HTTPS Certificate for SAML

By default, the SCA is creates a dedicated and self signed certificate in separate keystore defined in the sever.xml as "SPKeyStore". It is possible to use the certificate stored in the "defaultKeyStore". To adjust the setup for this purpose, follow these steps:

Navigate to the path \SCA\wlp\usr\servers\server1\server.xml.
Remove keyAlias="samlsp and keyStoreRef="SPKeyStore from server.xml.
Open BigFix Compliance in web browser.
Get the information about the certificate.
1. Click on the Not secure label on the URL to display the window.
2. Select the Certificate is not valid option above.
3. Click on the Details tab.
4. Export the certificate in (base64 encoded) format.
Add the exported certificate to the Active Directory Federation Certificate (ADFS).
1. Navigate to ADFS management.
2. Proceed to Active Directory Management Service > Relaying Party Trust.
3. Right click on the available relying party and select Properties.
4. Navigate to the encryption option.
5. Remove the existing certificate.
6. Click on Browse, and in the dropdown menu, select All Files.
7. Upload the downloaded certificate.
Restart the BigFix Compliance server.

Configuring SAML SSO - Microsoft Active Directory Services (ADFS)

Download the metadata of the service provider and configure the service provider details on the identity provider. Download the service provider metadata file, spMetadata.xml from the link.
1. Log in to BigFix Compliance and go to Management > Single Sign-On Settings.
2. Click the Download SP Metadata link to download the service provider metadata file, spMetadata.xml.
  Note: When the SAML SSO entry is created, only the Delete button and the Download SP Metadata link are enabled. If the download link is not enabled, try the following:
  1. Open the C:\Program Files\IBM\SCA\wlp\usr\servers\server1\apps\tema.war\WEB-INF\config\ folder or the BigFix Compliance installation path.
  2. Copy the options.cfg.sample file and save it as options.cfg into the folder.
  3. Open the options.cfg file and locate the line: #platform.sso.saml.metadata.link.ssl.verify=false.
  4. Remove # from the code and save the file.
  5. Restart the BigFix Compliance service.
  6. Log in again and check if the download link is enabled.
Configure Relying Party Trusts in ADFS Management with the metadata file.
1. In ADFS Management, navigate to Relying Party Trusts, click Add Relying Party Trust.
2. Click Start and select Import data about the relying party from a file.
3. Click Browse and specify the spMetadata.xml file and click Next.
4. Specify a display name (for example Compliance) and click Next.
5. Click Next all the way and Close.
6. In the Edit Claim Rules window, click Add Rule and click Next.
7. Enter a claim rule name such as Name ID.
8. Select Active Directory as attribute store.
9. Select User-Principal-Name as LDAP Attribute and Name ID as Outgoing Claim Type.
10. Click Finish.
Once ADFS is configured, continue to enable SSO in BigFix Compliance, on Management > Single Sign-On page:
1. Click Enable.
2. Restart BigFix Compliance service.
After the service is restarted, BigFix Compliance login page will redirect to the login page of the identity provider. Enter your credentials. Once authentication is successful, it will be redirected to the BigFix Compliance landing page (Security Configuration Overview page).

Configuring SAML SSO - Microsoft Entra ID

To configure BigFix Compliance with Microsoft Entra ID, consider that only the Identity Provider Initiated (IdP-initiated) scenario is supported. Microsoft Entra ID does not support SAML HTTP Post redirect binding, which is necessary for IBM WebSphere Liberty used by BigFix Compliance.

When configuring the SCA in Microsoft Entra ID, make sure that you do not set the Sign-On URL and Relay State. By specifying Entra's User Access URL as the Login Page URL in SCA, users will be redirected to Microsoft Entra ID's Identity Provider Initiated (IdP-initiated) flow.

Follow Microsoft guide Security Assertion Markup Language (SAML) single sign-on (SSO) for on-premises apps with Microsoft Entra application proxy - Microsoft Entra ID | Microsoft Learn and use following information:
1. Identifier (Entity ID): https://<bigfix sca server>:9081/ibm/saml20/defaultSP
2. Reply URL (Assertion Consumer Service URL): https:// <bigfix sca server>:9081/ibm/saml20/defaultSP/acs
3. Sign on URL: keep empty
4. Relay State: keep empty
Once the Entra ID is configured, continue to enable SSO in BigFix Compliance, on Management > Single Sign-On page:
1. Click Enable.
2. Restart BigFix Compliance service.
After the service is restarted, BigFix Compliance login page will redirect to the login page of the identity provider. Enter your credentials. Once authentication is successful, it will be redirected to the BigFix Compliance landing page (Security Configuration Overview page).

Possible issues

An endless redirection loop is made. Proceed with manual setup and avoid the use of metadata from BigFix Compliance. Make sure that neither the Sign-On URL nor the Relay State is configured. If these settings are configured, recreate the application definition in Entra ID from beginning.
When the correct page is provided in SCA Login Page for Service Provider Initiated (SP-initiated) flow, you may get error AADSTS750054. This error is caused by the lack of compatibility between Entra and WebSphere HTTP binding methods (Redirect only vs. POST only). For more detailed information about the error, refer to Microsoft Learn - Troubleshoot AADSTS750054 error.

Configuring LTPA Single Sign-On for your system

Follow these steps to set up the Lightweight Third-Party Authentication (LTPA) SSO for your system with IBM Security Access Manager for Web (ISAM).

Before you begin

Note: After the SSO is enabled, only SSO users can log in to the BigFix Compliance Analytics. To avoid log-in access issues, all existing users, except the local administrator user, should convert to SSO users.

When enabling SSO server settings, you must have existing SSO users. Before enabling SSO, you need to do the following:

Identify the ISAM server, Directory Server, and the Compliance Server.
Back up the following .xml files:
- <Install Dir>/wlp/usr/servers/server1/server.xml
- <Install Dir>/wlp/usr/servers/server1/app/tema.war/web.xml
Create SSO users from Management > Users. The operator must create at least one single sign-on user with administrators role.
Create User Provisioning rules.

Note: The username format for user provisioning must be a User-Principal-Name (or a SAM-Account-Name, without domain). User provisioning on SSO is associated with what is indicated on the directory server.

Perform the following steps:

Login to BigFix Compliance and go to Management > Directory Servers.
Create a Directory Server entry for single sign-on authentication. (See Directory Servers section for how to add a Directory Server).
Go to Management > Users to create an SSO user.
1. Go to Management > Users. Click Create User.
2. Enter a username that is registered in the directory server.
3. Check Administrators role (at least one single sign-on user needs to have Administrators role).
4. Specify Computer Groups, as necessary. (not applicable for administrator).
5. Select Single Sign-On as the authentication method.
6. Enter the email address and contact information.
7. Click Create.
Create an LTPA configuration entry.
1. Go to Management > Single Sign-On Settings.
2. Select LTPA as the SSO method.
3. Select the directory server that was created in Step 2.
4. If the directory server is configured with SSL option, click Browse and upload the directory server’s certificate.
5. Click Save.
Restart the BigFix Compliance service.
Download LTPA Keys from BigFix Compliance.
1. Login back to the SSO settings page.
2. Click Download LPTA Keys link and save ltpa.keys.
Configure reverse proxy / virtual junction on ISAM with BigFix Compliance server certificate and LTPA keys For more information, refer to https://help.hcltechsw.com/bigfix/11.0/inventory/Inventory/security/t_configuring_sso_isam.html.
Enable SSO in BigFix Compliance.
1. Login back to the SSO settings page.
2. Click Enable.
Restart BigFix Compliance service.
Access BigFix Compliance by ISAM’s virtual host/url such as, https://<virtual_host>/sca.