Welcome
Security
Configure different security features to adequately protect business assets and resources in the data model when using BigFix Inventory.
Configuring and enabling single sign-on (SSO)
Available from 9.2.1. You can now use the two-factor authentication and use SSO to log on to BigFix Inventory and maintain login consistency with other applications in the enterprise. You can configure BigFix Inventory to use two-factor authentication with single sign-on based either on the exchange of Security Assertion Markup Language (SAML 2.0) token and Microsoft™ Active Directory Federation Services as Identity Provider or you can use the IBM Lightweight Third-Party Authentication (LTPA) technology and IBM Security Access Manager for Web as the authentication service.
Option 1: Configuring single sign-on based on Security Assertion Markup Language token
You can configure single sign-on based on a Security Access Markup Language (SAML 2.0) token and an external Identity Provider server.
Step 2: Configuring Identity Provider for single sign-on
As the second step, configure BigFix Inventory server as a relying party to consume claims from the Identity Provider. Perform the configuration based on the spMetadata.xml file that you downloaded from BigFix Inventory.

BigFix Documentation Homepage
BigFix 10 Inventory Documentation
Overview
Become familiar with key concepts that are necessary to understand how BigFix Inventory works and learn about features and functions that are introduced in every version of the application.
Installing
Learn about the requirements and available installation scenarios to ensure that the deployment of BigFix Inventory goes smoothly in your environment.
Configuring
After you install BigFix Inventory, configure the application. Create accounts for the users who need access to the application and set up scans to collect software and hardware inventory data from your environment.
Upgrading
A new version of BigFix Inventory is released periodically, typically at the end of each calendar quarter. Upgrade to the new version regularly to take full advantage of new features and application fixes.
Managing the infrastructure
After you complete the initial configuration of BigFix Inventory, learn how to manage components of its infrastructure: VM managers, server, database, and data sources.
Software inventory and license utilization
You can classify the discovered software so that reports in BigFix Inventory reflect your entitlements and properly show utilization of license metrics by particular products.
Managing security threats
Learn how to use BigFix Inventory to manage security threats in your environment. You can view whether any of the installed components is prone to any Common Vulnerability and Exposure (CVE).
Tutorials
Tutorials help you understand how to use BigFix Inventory. They consist of modules that focus on broad goals. Modules consist of tasks that show how to configure specific settings step-by-step.
Security
Configure different security features to adequately protect business assets and resources in the data model when using BigFix Inventory.
- Flow of data
  There are several different interactions that occur between the components of the BigFix Inventory infrastructure and between the user and tool.
- Security configuration scenarios
  Check what security options need to be enabled on the BigFix server and the BigFix Inventory server to achieve each of the supported security scenarios.
- Configuring database connection encryption
  You can encrypt the connection between BigFix Inventory server and the BigFix Inventory database. Encryption is established between BigFix Inventory server and the database engine using a JDBC driver. You can encrypt the connection while upgrading the server.
- Configuring secure communication
  To ensure secure communication, BigFix Inventory uses public key cryptography, which is based on algorithms that use two separate keys, a private key and a public key. This key pair is used to encrypt and decrypt communication
- Assuring compliance with federal encryption standards
  You can configure BigFix Inventory to be compliant with the Federal Information Processing Standard requirements that are related to encryption.
- Authenticating users with LDAP
  BigFix Inventory supports authentication through a Lightweight Directory Access Protocol (LDAP) server. To use this feature, you must configure the BigFix Inventory server.
- Configuring and enabling single sign-on (SSO)
  Available from 9.2.1. You can now use the two-factor authentication and use SSO to log on to BigFix Inventory and maintain login consistency with other applications in the enterprise. You can configure BigFix Inventory to use two-factor authentication with single sign-on based either on the exchange of Security Assertion Markup Language (SAML 2.0) token and Microsoft™ Active Directory Federation Services as Identity Provider or you can use the IBM Lightweight Third-Party Authentication (LTPA) technology and IBM Security Access Manager for Web as the authentication service.
  - Option 1: Configuring single sign-on based on Security Assertion Markup Language token
    You can configure single sign-on based on a Security Access Markup Language (SAML 2.0) token and an external Identity Provider server.
    - Step 1: Configuring single sign-on settings in BigFix Inventory
      As the first step, configure single sign-on settings in BigFix Inventory.
    - Step 2: Configuring Identity Provider for single sign-on
      As the second step, configure BigFix Inventory server as a relying party to consume claims from the Identity Provider. Perform the configuration based on the spMetadata.xml file that you downloaded from BigFix Inventory.
    - Step 3: Enabling the SAML single sign-on
      As the final step, enable single sign-on in the BigFix Inventory web user interface.
    - Reverting disabled SSO configuration for SAML
      You can revert to the default SAML SSO configuration with single sign-on disabled if there are problems with logging in to the application.
  - Option 2: Configuring SSO based on LTPA
    You can configure single sign-on based on IBM Lightweight Third-Party Authentication(LTPA)with ® IBM Security Access Manager for Web.
  - Creating single sign-on users
    To complete an authentication process through single sign-on, you must create users that can later log in to BigFix Inventory.
  - Logging out of the BigFix Inventory server
    To log out of the BigFix Inventory user interface, simply clear your browser history and restart the browser.
  - Disabling the single sign-on configuration
    You can disable the SSO configuration on the Single Sign-on Settings pane.
  - Deleting the single sign-on configuration
    You can delete the SSO configuration on the Single Sign-on Settings pane.
  - Modifying port in BigFix Inventory that has single sign-on enabled
    Modifying the port number on the Server Settings pane in BigFix Inventory while single sign-on is enabled invalidates the single sign-on configuration. To properly modify the port, you must repeat the single sign-on configuration steps.
  - Configuring SSO keystore passwords and encryption
    Configure unique passwords to the SSO keystores, and encrypt them with the AES encryption algorithm.
- Configuring passwords and encryption mechanisms
  To improve the application security, define a security policy for user passwords. You can also configure passwords and encryption mechanisms for the keystore in which the passwords are stored, and the BigFix Inventory database.
- Configuring user account lockout
  Available from 9.2.8. By default, user account is locked for 5 minutes after the user attempts to log in to BigFix Inventory more than 10 times within 5 minutes. You can change the default settings or disable the user account lockout.
- Configuring VM Manager tool to accept trusted VM manager certificates
  By default, the VM Manager tool accepts all VM manager certificates regardless of whether they are trusted or not. You can change the default behavior to ensure that only trusted certificates are accepted by the VM Manager tool.
- Relays
  Relays lighten both upstream and downstream burdens on the server. Rather than communicating directly with a server, clients can instead be instructed to communicate with designated relays, considerably reducing both server load and client and server network traffic.
Troubleshooting and support
Learn about solutions to common problems that might arise when you use BigFix Inventory BigFix Inventory and how to find logs and trace files that help you troubleshoot those problems.
Tuning performance
Learn how to plan the infrastructure of BigFix Inventory and to configure the application server to achieve optimal performance. The following guidelines are applicable in big data environments as well as in smaller environments that are running on low-performance hardware.
Integrating with REST API
External systems integration is one of the key features of BigFix Inventory. Business logic is enabled for integration and interfaces are provided for common integration points.
Glossary
Guide in PDF format

Step 2: Configuring Identity Provider for single sign-on

As the second step, configure BigFix Inventory server as a relying party to consume claims from the Identity Provider. Perform the configuration based on the spMetadata.xml file that you downloaded from BigFix Inventory.

About this task

BigFix Inventory supports single sign-on (SSO) through Active Directory Federation Services (AD FS). If you are using Azure, you must configure Azure to AD FS to authenticate through the SSO and access the application. The following procedure is based on the example of AD FS.

Procedure

Log in to the computer where Active Directory Federation Services are installed.
Copy the spMetadata.xml file from your computer to a directory on the AD FS server.
Click the Start rectangle in the lower-left area of the screen in Windows 2012 and then click the AD FS Management tile.
In the left navigation tree of the AD FS application, expand AD FS > Trust Relationships > Relying Party Trusts.
In the Relying Party Trusts pane on the right, click Add Relying Party Trust. A wizard opens. Click Start.
Select Import data about the relying party from a file.
Click Browse, select the spMetadata.xml file and click Open. Click Next.
On the new pane, provide the Display name for your ADFS service. Click Next.
Leave the option Permit all users to access the relying party selected, and click Next.
On the Ready to Add Trust pane, click Next.
On the Finish pane, click Close. The Edit Claim rules window opens.
Click the Add Rule button in the lower left corner. The Add Transform Claim Rule wizard opens. Click Next.
In the Claim Rule template, type Name ID rule.
From the Attribute store drop-down list, select Active Directory.
In the Mapping of LDAP Attributes to outgoing claim types section, click the first drop-down list and select User Principal Name. From the second list, select Name ID.

Repeat the step to achieve the following configuration and click Finish.

Table 1. Mapping of LDAP Attributes to outgoing claim types
LDAP Attribute	Outgoing Claim Type
User-Principal-Name	Name ID
E-Mail-Addresses	E-Mail Address
Token-Groups - Qualified by Long Domain Name	Group
SAM-Account-Name	Windows™ account name

In the Edit Claim rules window, click Apply and OK.

What to do next

Enable single sign-on in BigFix Inventory.