Step 3: Finalizing BigFix Inventory configuration in Identity Provider

To finalize the configuration, follow one of the below steps based on Identity Provider you have configured in Step 1: Configuring BigFix Inventory in Identity Provider for single sign-on. There are two sets of steps: one for Entra ID and another for AD FS.

Configuring Microsoft Entra ID

Click here to refer to the steps for configuring Microsoft Entra ID. You do not have to re-do the steps if you have already configured the Entra ID in step 1.

Configuring Microsoft Active Directory Federation Service

This is an example configuration of BigFix Inventory single sign-on (SSO) through Active Directory Federation Services (AD FS).

Procedure

  1. Log in to the computer where Active Directory Federation Services are installed.
  2. Copy the spMetadata.xml file from your computer to a directory on the AD FS server.
  3. Click the Start rectangle in the lower-left area of the screen in Windows 2012 and then click the AD FS Management tile.

    The Microsoft Entra setup has been already done in Step 1: Configuring BigFix Inventory in Identity Provider for single sign-on.

    Note: Step 3 is optional, and in some scenarios, it is not mandatory to follow the steps, for example, when using Microsoft Entra.
  4. In the left navigation tree of the AD FS application, expand AD FS > Trust Relationships > Relying Party Trusts.
  5. In the Relying Party Trusts pane on the right, click Add Relying Party Trust. A wizard opens. Click Start.
  6. Select Import data about the relying party from a file.
  7. Click Browse, select the spMetadata.xml file, and click Open. Click Next.
  8. On the new pane, provide the Display name for your ADFS service. Click Next.
  9. Leave the option Permit all users to access the relying party selected, and click Next.
  10. On the Ready to Add Trust pane, click Next.
  11. On the Finish pane, click Close. The Edit Claim rules window opens.
  12. Click the Add Rule button in the lower left corner. The Add Transform Claim Rule wizard opens. Click Next.
  13. In the Claim Rule template, type Name ID rule.
  14. From the Attribute store drop-down list, select Active Directory.
  15. In the Mapping of LDAP Attributes to outgoing claim types section, click the first drop-down list and select User Principal Name. From the second list, select Name ID.
  16. Repeat the step to achieve the following configuration and click Finish.
    Table 1. Mapping of LDAP Attributes to outgoing claim types
    LDAP Attribute Outgoing Claim Type
    User-Principal-Name Name ID
    E-Mail-Addresses E-Mail Address
    Token-Groups - Qualified by Long Domain Name Group
    SAM-Account-Name Windows account name
  17. In the Edit Claim rules window, click Apply and OK.

What to do next

Step 4: Enabling the SAML single sign-on.