Step 2: Configuring Identity Provider for single sign-on

As the second step, configure BigFix Inventory server in the Identity Provider.

Configuring Microsoft Active Directory Federation Service

This is an example configuration of BigFix Inventory single sign-on (SSO) through Active Directory Federation Services (AD FS).

Procedure

  1. Log in to the computer where Active Directory Federation Services are installed.
  2. Copy the spMetadata.xml file from your computer to a directory on the AD FS server.
  3. Click the Start rectangle in the lower-left area of the screen in Windows 2012 and then click the AD FS Management tile.
  4. In the left navigation tree of the AD FS application, expand AD FS > Trust Relationships > Relying Party Trusts.
  5. In the Relying Party Trusts pane on the right, click Add Relying Party Trust. A wizard opens. Click Start.
  6. Select Import data about the relying party from a file.
  7. Click Browse, select the spMetadata.xml file, and click Open. Click Next.
  8. On the new pane, provide the Display name for your ADFS service. Click Next.
  9. Leave the option Permit all users to access the relying party selected, and click Next.
  10. On the Ready to Add Trust pane, click Next.
  11. On the Finish pane, click Close. The Edit Claim rules window opens.
  12. Click the Add Rule button in the lower left corner. The Add Transform Claim Rule wizard opens. Click Next.
  13. In the Claim Rule template, type Name ID rule.
  14. From the Attribute store drop-down list, select Active Directory.
  15. In the Mapping of LDAP Attributes to outgoing claim types section, click the first drop-down list and select User Principal Name. From the second list, select Name ID.
  16. Repeat the step to achieve the following configuration and click Finish.
    Table 1. Mapping of LDAP Attributes to outgoing claim types
    LDAP Attribute Outgoing Claim Type
    User-Principal-Name Name ID
    E-Mail-Addresses E-Mail Address
    Token-Groups - Qualified by Long Domain Name Group
    SAM-Account-Name Windows account name
  17. In the Edit Claim rules window, click Apply and OK.

What to do next

Enable single sign-on in BigFix Inventory.

Configuring Microsoft Entra ID

About this task

To configure BigFix Inventory with Microsoft Entra ID, it is necessary to note that only the Identity Provider Initiated (IdP-initiated) scenario is supported. Microsoft Entra ID doesn't support SAML HTTP Post redirect binding, which is necessary for IBM WebSphere Liberty used by BigFix Inventory.

When configuring the BigFix Inventory in Microsoft Entra ID, make sure that you do not set the Sign-On URL and Relay State. By specifying Entra's User Access URL as the Login Page URL in BFI, users will be redirected to Microsoft Entra ID's Identity Provider Initiated (IdP-initiated) flow.

Procedure

  1. Follow Microsoft guide Security Assertion Markup Language (SAML) single sign-on (SSO) for on-premises apps with Microsoft Entra application proxy - Microsoft Entra ID | Microsoft Learn and use following information:
    1. Identifier (Entity ID): https://<bigfix bfi server>:9081/ibm/saml20/defaultSP
    2. Reply URL (Assertion Consumer Service URL): https:// <bigfix bfi server>:9081/ibm/saml20/defaultSP/acs
    3. Sign on URL: keep empty
    4. Relay State: keep empty
  2. Once Entra ID is configured, continue to enable SSO in BigFix Inventory on Management > Single Sign-On page:
    1. Click Enable.
    2. Restart BigFix Inventory service.
    After the service is restarted, BigFix Inventory login page will redirect to the login page of the identity provider. Enter your credentials. Once authentication is successful, it will be redirected to BigFix Inventory home page.

Results

Possible issues
  1. An endless redirection loop is made. Proceed with manual setup and avoid the use of metadata from BigFix Inventory. Make sure that neither the Sign-On URL nor the Relay State is configured. If these settings are configured, recreate the application definition in Entra ID from beginning.
  2. When the correct page is provided in BigFix Inventory login page for Service Provider Initiated (SP-initiated) flow, you may get error AADSTS750054. This error is caused by the lack of compatibility between Entra and WebSphere HTTP binding methods (Redirect only vs. POST only). For more detailed information about the error, refer to Microsoft Learn - Troubleshoot AADSTS750054 error.