What changes from the BigFix user's perspective

From the BigFix user interfaces operator's perspective, this enhancement affects only authentication.

After enabling SAML authentication for LDAP users:
LDAP operators:
  • Must authenticate to the Web UI and to the Web Reports from the SAML identity provider only by accessing the following URLs:

    https://<WebUI_server> (for the Web UI server, assuming that it uses port 443)

    https://<Web_Reports_server>:8083 (for each Web Reports server, assuming that port 8083 is used)

    Note: The buttons and links to log out from the Web UI and the Web Reports redirect these users to a page where they can click a Re-authenticate button to get back to Web UI and Web Reports pages without having to log back on, unless the IdP login timeout has expired; in this case they are brought back to the IdP login page.
  • Must enable the Use SAML authentication check box in the Console login panel, if the BigFix server was configured to integrate with SAML V2.0.Console login panel with SAML check box enabled
    The selection is automatically validated and retained by BigFix for future login requests.
    • To override the The security certificate was issued by a company you have not chosen to trust Windows Security Alert warning:

      Install the BigFix certificate (known as ServerSigningCertificate_0 by default) in the Trusted People store of Windows.

    • To override the The name on the security certificate is invalid or does not match the name of the site Windows Security Alert warning:

      Starting from BigFix Platform 9.5 Patch 16, you can update the BigFix certificate (known as ServerSigningCertificate_0 by default) including an entry in the SubjectAltName field.

      Or you can add an alias for the BigFix server IP address in the Windows 'hosts' file on the Windows computer in which the BigFix Console is installed and set it to the value of CN of the Subject name of the certificate (ServerSigningCertificate_0, by default) and use this alias in the Server field of the BigFix Console Login panel.

      Ensure that the same name (for example, ServerSigningCertificate_0) is defined as SAML endpoint in your Identity Provider (for example, AD/FS or WebSeal) to garanteee that your BigFix Console login gets the authorization.

Local non-LDAP operators:
  • Log in to the Web UI or to the Web Reports by accessing the usual login URLs:

    https://<WebUI_server>/login (assuming that the Web UI is set on port 443)

    https://<Web_Reports_server>:8083/login (for each Web Reports server, assuming that Web Reports is set on port 8083)

  • Log in to the BigFix Console from the usual login panel ensuring that the Use SAML authentication check box is not selected.
    Note: If SAML is not enabled in the environment, the Use SAML authentication check box is greyed out.

After SAML is configured and enabled only local non-LDAP users will be able to log in using API; the 4-eyes authentication approvers must be local accounts.