Step 1: Configuring BigFix Inventory in Identity Provider for single sign-on

As the first step, configure BigFix Inventory server in the Identity Provider.

Configuring Microsoft Entra ID

About this task

To configure BigFix Inventory with Microsoft Entra ID, it is necessary to note that only the Identity Provider Initiated (IdP-initiated) scenario is supported. Microsoft Entra ID doesn't support SAML HTTP Post redirect binding, which is necessary for IBM WebSphere Liberty used by BigFix Inventory.

When configuring the BigFix Inventory in Microsoft Entra ID, make sure that you do not set the Sign-On URL and Relay State. By specifying Entra's User Access URL as the Login Page URL in BFI, users will be redirected to Microsoft Entra ID's Identity Provider Initiated (IdP-initiated) flow.

Procedure

  1. Follow Microsoft guide Security Assertion Markup Language (SAML) single sign-on (SSO) for on-premises apps with Microsoft Entra application proxy - Microsoft Entra ID | Microsoft Learn and use following information:
    1. Identifier (Entity ID): https://<bigfix bfi server>:9081/ibm/saml20/defaultSP
    2. Reply URL (Assertion Consumer Service URL): https:// <bigfix bfi server>:9081/ibm/saml20/defaultSP/acs
    3. Sign on URL: keep empty
    4. Relay State: keep empty
      If there is used load balancer or proxy then adjust URLs to have the host and port of them. It would be needed to specify this information also on BigFix Inventory server side via customization.xml and spHostAndPort attribute (see Configuring spHostAndPort).
  2. Map the users to the BigFix Inventory application in Entra
  3. Gather the following infomration from Entra:
    1. User Access URL - available under Manage: Properties
      Example: https://launcher.myapps.microsoft.com/api/signin/<APPICATION ID / GUID>?tenantId=<TENANT ID / GUID>
    2. URL of the Trusted Issuer
      Example: https://sts.windows.net/<TENANT ID / GUID>/
    3. Public certificate of the Identity Provider in the key_name.cer format.

Configuring Microsoft Active Directory Federation Service

This is an example configuration of BigFix Inventory single sign-on (SSO) through Active Directory Federation Services (AD FS).

Procedure

Gather the following infomration from Microsoft Active Directory Federation Service:
  1. URL to the login page of the Identity Provider. It is the URL to which an unauthenticated request is redirected. After the request is authenticated by the Identity Provider
    Example: https://<ADFS_hostname>/adfs/ls/IdPInitiatedSignOn.aspx?LoginToRP=
  2. URL of the Trusted Issuer
    Example: http://ADFS_host_name/adfs/services/trust
  3. Public certificate of the Identity Provider in the key_name.cer format.

What to do next

Step 2: Configuring single sign-on settings in BigFix Inventory.