Step 1: Configuring single sign-on settings in BigFix Inventory

As the first step, configure single sign-on settings in BigFix Inventory.

Before you begin

Gather the necessary information
Before you start the configuration, gather the following information:
  • URL to the login page of the Identity Provider. It is the URL to which an unauthenticated request is redirected. After the request is authenticated by the Identity Provider, the user is redirected to BigFix Inventory.
    For example:
    • ADFS: https://<ADFS_hostname>/adfs/ls/IdPInitiatedSignOn.aspx?LoginToRP=https://BFI_host_name:9081/ibm/saml20/defaultSP
    • ENTRA ID: https://launcher.myapps.microsoft.com/api/signin/<APPICATION ID / GUID>?tenantId=<TENANT ID / GUID>
  • URL of the Trusted Issuer. It is the URL to the certificate issuer of the Identity Provider that is needed to establish a trust relationship.
    For example:
    • ADFS: http://ADFS_host_name/adfs/services/trust
    • ENTRA ID: https://sts.windows.net/<TENANT ID / GUID>/
  • Public certificate of the Identity Provider in the key_name.cer format.
Enable SSL
Ensure that SSL is enabled in BigFix Inventory and in the Identity Provider.
Backup files
Before you start configuring single sign-on, back up the following files:
  • server.xml
    • Linux bfi_install_dir/wlp/usr/servers/server1
    • Windows bfi_install_dir\wlp\usr\servers\server1
  • web.xml
    • Linux bfi_install_dir/wlp/usr/servers/server1/apps/tema.war/WEB-INF
    • Windows bfi_install_dir\wlp\usr\servers\server1\apps\tema.war\WEB-INF
Note: If you set up the session timeout for Single Sign-On, remember that it should be longer than the session timeout that is set up for BigFix Inventory. Otherwise, change the settings in BigFix Inventory. For more information, see Setting session timeout.
Create users
Create BigFix Inventory users for users to use the single sign-on. During the user creation, select Single Sign-on as the authentication method. Ensure that all user names are fully-qualified names that contain the full domain name, for example: user@domain.example. Also, ensure that at least one user is an administrator.

Linux If the BigFix Inventory server is installed on Linux, and users in the Identity Provider use the camel-case naming convention, create users following the same convention in BigFix Inventory. Otherwise, the users can not generate the audit snapshots.

Note: User token is not available after a single sign-on user is created. If you need the token, for example, to run REST API calls, ask the BigFix Inventory administrator to provide it for you.

Procedure

  1. Log in to BigFix Inventory, and click Management > Single Sign-On Settings.
  2. Select SAML as the single sign-on method.

    The Instance ID field is automatically filled with the defaultSP value. It is the identifier of the BigFix Inventory service. Together with the BigFix Inventory URL, it forms the overall Service Provider ID: https://BFI_host_name:BFI_port/ibm/saml20/defaultSP.

    Based on this value, the SAML Assertion Consumer Service URL is built: https://BFI_host_name:BFI_port/ibm/saml20/defaultSP/acs. The URL should be used for the configuration of the Identity Provider.

  3. Specify the URL to the login page of the Identity Provider that you will use to single-sign-on to BigFix Inventory.
    For example:
    • ADFS: https://<ADFS_hostname>/adfs/ls/IdPInitiatedSignOn.aspx?LoginToRP=https://BFI_host_name:9081/ibm/saml20/defaultSP
    • ENTRA ID: https://launcher.myapps.microsoft.com/api/signin/<APPICATION ID / GUID>?tenantId=<TENANT ID / GUID>
    Important: Ensure that the URL that you specify is correct. The address is not validated. If you make a typo in the URL, you might need to manually revert the SSO configuration.
  4. Provide the public certificate of the Identity Provider. Click Browse to locate the key_name.cer certificate that you created.
  5. Provide the URL of the certificate issuer of the Identity Provider. It is the issuer name of the Identity Provider as it appears in the SAML assertion.
    For example:
    • ADFS: http://ADFS_host_name/adfs/services/trust
    • ENTRA ID: https://sts.windows.net/<TENANT ID / GUID>/
    Important: Ensure that the URL that you specify is correct. The address is not validated. If you make a typo in the URL, you might need to manually revert the SSO configuration.
  6. Click Save.
  7. Optional: To use a custom certificate for the SSO setup, see: Using a CA-signed (custom) certificate for SSO based on SAML. Otherwise, continue to the next step.
  8. Click the Download Service Provider Metadata link, and save the spMetadata.xml file.
    Note: When the SAML single sign-on entry is created, only the Delete button, and the Download SP Metadata link are enabled. If the download link is not displayed, restart the BigFix Inventory server.

What to do next

Based on the spMetadata.xml file, configure Identity Provider for single sign-on.