Single Sign-On Settings

About this task

Authenticating users with Single Sign-On

BigFix Compliance supports Single Sign-On (SSO) for user authentication through:
  • Security Assertion Markup Language (SAML)
  • Lightweight Third-Party Authentication (LTPA)

To open Single Sign-On Settings page, navigate to settings gear icon and click Single Sign-On Settings from the list.

Configuring SAML Single Sign-On

Follow the steps below to set up SAML Single Sign-On for your system with Active Directory Federation Services (ADFS).

Before you begin
  • Get the following information from the identity provider (IdP):
    • Login URL
    • Token-Signing Certificate
    • Trusted Issuer
  • Backup on the following .xml files:
    • <Install Dir>\wlp\usr\servers\server1\server.xml
    • <Install Dir>\wlp\usr\servers\server1\app\tema.war\web.xml
  • When enabling Single Sign-On in Server Settings, you must have at least one Single Sign-On user created. Before enabling Single Sign-On, you need to do the following:
    • Create Single Sign-On users from Management > UsersManagement > Users. The operator must create at least one user with Administrators role and Single Sign-On as Authentication Method.
    • Consider changing the authentication method of existing users to Single Sign-On.
    • Create User Provisioning rules as necessary (optional)
Note: The user name format for user provisioning must be a User-Principal-Name (or a SAM-Account-Name, without domain). User provisioning on Single Sign-On is associated with what is indicated on the directory server.

Procedure

  1. Login to BigFix Compliance as an administrator (with FQDN URL).
  2. Create a SSO user with administrator rights in the BigFix Compliance server.
    1. Go to Management > Users. Click Create User.
    2. Enter a user name. The format of the user name is related to the Name ID format of the claim rules on relaying party trust on ADFS. Ensure that the user name format follows the LDAP attribute format.
      User-Principal-Name

      The user name format is <user>@<domain name>.

      Example: user01@bigfix.local

      SAM-Account-Name

      The user name format is <user> without domain part.

      Example: user01

      E-Mail Address

      The user name is the email address in the profile of the user.

      Example: user01@bigfix.local

    3. Check Administrators role.
      Note: At least one Single Sign-On user needs to have Administrators role.
    4. Specify Computer Groups, as necessary (not applicable for administrator).
    5. Select Single Sign-On as the Authentication Method.
    6. Enter the email address and contact information (optional).
    7. Click Create.
  3. Follow these steps if you plan to use user provisioning.
    1. Add your directory server by creating an entry in Management > Directory Servers. (See Directory Servers section).
    2. Configure the user provisioning rule in Management > User Provisioning. When Single Sign-On is enabled, the authentication method of all the provisioned users is Single Sign-On. (See User Provisioning section)
  4. Create a SAML configuration entry.
    1. Click New.
    2. Select SAML as the Single Sign-On method.
    3. Enter the values for the following field(s).
      • Login Page URL: Enter the log in page URL. https://<ADFS_hostname>/adfs/ls/IdPInitiatedSignOn.aspx?LoginToRP=https://<SCA_hostname>:9081/ibm/saml20/defaultSP
      • Identity Provider Certificate: Browse to select the identity provider certificate. This certificate refers to the Token-Signing certificate exported from ADFS in DER/Base64 encoded X.509.
      • Trusted Issuer: Enter the trusted issuer. http://<ADFS_hostname>/adfs/services/trust
    4. Click Save.
    5. Restart BigFix Compliance service.
  5. Download the metadata of the service provider and configure the service provider details on the identity provider. Download the service provider metadata file, spMetadata.xml from the link.
    1. Log in to BigFix Compliance and go to Management > Single Sign-On Settings.
    2. Click the Download SP Metadata link to download the service provider metadata file, spMetadata.xml.
      Note: When the SAML SSO entry is created, only the Delete button and the Download SP Metadata link are enabled. If the download link is not enabled, try the following:
      1. Open the folder C:\Program Files\IBM\SCA\wlp\usr\servers\server1\apps\tema.war\WEB-INF\config\ or the BigFix Compliance installation path.
      2. Copy the options.cfg.sample file and save it as options.cfg into the folder.
      3. Open the options.cfg file and locate the line: #platform.sso.saml.metadata.link.ssl.verify=false.
      4. Remove # from the code and save the file.
      5. Restart the Compliance service.
      6. Log in again and check if the download link is enabled.
      After the spMetadata.xml is downloaded, configure Relying Party Trusts in ADFS Management with the metadata file.
      1. In ADFS Management, navigate to Relying Party Trusts, click Add Relying Party Trust.
      2. Click Start and select Import data about the relying party from a file.
      3. Click Browse and specify the spMetadata.xml file and click Next.
      4. Specify a display name (for example Compliance) and click Next.
      5. Click Next all the way and Close.
      6. In Edit Claim Rules window, click Add Rule and click Next.
      7. Enter a claim rule name such as Name ID.
      8. Select Active Directory as attribute store.
      9. Select User-Principal-Name as LDAP Attribute and Name ID as Outgoing Claim Type.
      10. Click Finish.
      Once ADFS is configured, continue to enable SSO in BigFix Compliance, on Management > Single Sign-On page:
    3. Click Enable.
    4. Restart BigFix Compliance service.
    After the service is restarted, BigFix Compliance login page will redirect to the login page of the identity provider. Enter your credentials. Once authentication is successful, it will be redirected to BigFix Compliance landing page (Security Configuration Overview page).

Configuring LTPA Single Sign-On for your system

About this task

Follow these steps to set up Lightweight Third-Party Authentication (LTPA) SSO for your system with IBM Security Access Manager for Web (ISAM).

Before you begin

Note: After the Single Sign-On is enabled, only Single Sign-On users can log in to BigFix Compliance Analytics. To avoid log-in access issues, all existing users, except the local Administrator user, should convert to Single Sign-On users.
When enabling Single Sign-On in Server Settings, you must have existing Single Sign-On users. Before enabling Single Sign-On, you need to do the following:
  • Identify ISAM server, Directory Server and Compliance Server
  • Backup on the following .xml files:
    • <Install Dir>/wlp/usr/servers/server1/server.xml
    • <Install Dir>/wlp/usr/servers/server1/app/tema.war/web.xml
  • Create Single Sign-On users from Management > Users. The operator must create at least one single sign-on user with Administrators role.
  • Create User Provisioning rules.
Note: The user name format for user provisioning must be a User-Principal-Name (or a SAM-Account-Name, without domain). User provisioning on single sign-on is associated with what is indicated on the directory server.

Procedure

  1. Login to BigFix Compliance and go to Management > Directory Servers.
  2. Create a Directory Server entry for single sign-on authentication. (See Directory Servers section for how to add a Directory Server).
  3. Go to Management > Users to create an Single Sign-On user.
    1. Go to Management > Users. Click Create User.
    2. Enter a user name that is registered in the directory server.
    3. Check Administrators role (at least one single sign-on user needs to have Administrators role).
    4. Specify Computer Groups, as necessary. (not applicable for administrator).
    5. Select Single Sign-On as the Authentication Method.
    6. Enter the email address and contact information (optional).
    7. Click Create.
  4. Create an LTPA configuration entry.
    1. Go to Management > > Single Sign-On Settings.
    2. Select LTPA as the Single Sign-On method.
    3. Select the directory server that was created in Step 2.
    4. If the directory server is configured with SSL option, click Browse and upload the directory server’s certificate.
    5. Click Save.
  5. Restart Compliance service.
  6. Download LTPA Keys from Compliance.
    1. Login back to Single Sign-On Settings page.
    2. Click Download LPTA Keys link and save ltpa.keys.
  7. Configure reverse proxy / virtual junction on ISAM with Compliance’s server certificate and LTPA keys (See https://help.hcltechsw.com/bigfix/10.0/inventory/Inventory/security/t_configuring_sso_isam.html for details).
  8. Enable Single Sign-On in Compliance.
    1. Login back to Single Sign-On Settings page.
    2. Click Enable.
  9. Restart Compliance service.
  10. Access Compliance by ISAM’s virtual host/url (such as https://<virtual_host>/sca)