Assumptions and requirements
Before configuring BigFix to use SAML V2.0, carefully read the following list of assumptions and requirements.
- BigFix supports SAML V2.0 authentication with an SAML V2.0-compliant identity provider such as Active Directory Federation Services (ADFS).
- The SAML V2.0 authentication is restricted to:
- Only one SAML IdP backed by one or more LDAP directories. If you already defined multiple LDAP servers as user repositories in your BigFix environment, be aware that, after enabling SAML authentication, only the users and the groups managed by the selected IdP will still be known to the BigFix environment. In this case, ensure that your IdP environment is correctly configured so that the SAML IdP (ADFS or ISAM) can authenticate users from the different LDAP environments that you want to use as the user repository.
- Identity providers using SHA256 as secure hash algorithm.
- Web Reports servers connecting to only one data source (Root server) and configured with SSL.
- To configure and use SAML authentication, you must have the WebUI installed. If you are using the WebUI solely for providing SAML authentication for Web Reports and the BigFix console, you can start the Web UI in SAML-only mode to reduce resource consumption. For information about how to start the Web UI in SAML-only mode, see https://help.hcltechsw.com/bigfix/9.5/webui/WebUI/Admin_Guide/c_saml_2_0.html?hl=saml%2C2.0.
- In DSA architecture, the configuration is replicated to replica DSA servers. However, the replica does not enable WebUI for SAML on non-primary DSA's, because multiple WebUI configuration is not supported.
- Starting from Patch 16, the X.509 certificate used as server signing
key is generated with a subjectAltName field containing DNS name and IPs of
the Root server. This prevents the The name on the security certificate is invalid or
does not match the name of the site security warning from appearing during the
authentication process.
- For fresh installations, a new certificate is created during the process.
- For upgrades, the old certificate is left in place. To prevent the security warning, do the
following steps:
- Rotate the server signing key for the server to which you are connecting. For details of
the parameter, see Additional administration commands. In DSA
architecture, you do not need to rotate keys for all the servers.Important: This operation resigns all the existing content. In very large deployments, it can take up to some hours. To minimize the impact on the day to day deployment operations, plan a maintenance window.
- Apply, in alternative, the workaround described in What changes from the BigFix user's perspective.
- Rotate the server signing key for the server to which you are connecting. For details of
the parameter, see Additional administration commands. In DSA
architecture, you do not need to rotate keys for all the servers.
- When running Web Reports, if SAML is enabled, the check on the referrer is not performed. You
can use the setting
_HTTPServer_Referrer_CheckEnabledto enable or disable the referrer check. The referrer is an optional header of the HTTP protocol. It identifies the address of the web page (that is the URI or IRI) that linked to the resource being requested. For information about how BigFix manages the referrer check, see List of settings and detailed descriptions.