Welcome
Security
Configure different security features to adequately protect business assets and resources in the data model when using BigFix Inventory.
Configuring and enabling single sign-on (SSO)
Available from 9.2.1. You can now use the two-factor authentication and use SSO to log on to BigFix Inventory and maintain login consistency with other applications in the enterprise. You can configure BigFix Inventory to use two-factor authentication with single sign-on based either on the exchange of Security Assertion Markup Language (SAML 2.0) token.
Configuring single sign-on based on Security Assertion Markup Language token
You can configure single sign-on based on a Security Access Markup Language (SAML 2.0) token and an external Identity Provider server.
Disabling single sing-on manually

BigFix Documentation Homepage
BigFix 11 Inventory Documentation
Welcome to the BigFix Inventory documentation, where you can find information about how to install and configure BigFix Inventory. The application provides you with information about your inventory and license metrics. You can manage your software assets, gather information about your hardware, and ensure license compliance for your enterprise using BigFix Inventory.
BigFix Platform
BigFix Scanner (New)
Overview
Become familiar with key concepts that are necessary to understand how BigFix Inventory works and learn about features and functions that are introduced in every version of the application.
Installing
Learn about the requirements and available installation scenarios to ensure that the deployment of BigFix Inventory goes smoothly in your environment.
Configuring
After you install BigFix Inventory, configure the application. Create accounts for the users who need access to the application and set up scans to collect software and hardware inventory data from your environment.
Upgrading
A new version of BigFix Inventory is released periodically, typically at the end of each calendar quarter. Upgrade to the new version regularly to take full advantage of new features and application fixes.
Catalog Overview
This section provides information about catalog updates available with every release.
Managing the infrastructure
After you complete the initial configuration of BigFix Inventory, learn how to manage components of its infrastructure: VM managers, server, database, and data sources.
Software inventory and license utilization
You can classify the discovered software so that reports in BigFix Inventory reflect your entitlements and properly show utilization of license metrics by particular products.
Managing security threats
Learn how to use BigFix Inventory to manage security threats in your environment. You can view whether any of the installed components is prone to any Common Vulnerability and Exposure (CVE).
Tutorials
Tutorials help you understand how to use BigFix Inventory. They consist of modules that focus on broad goals. Modules consist of tasks that show how to configure specific settings step-by-step.
Security
Configure different security features to adequately protect business assets and resources in the data model when using BigFix Inventory.
- Flow of data
  There are several different interactions that occur between the components of the BigFix Inventory infrastructure and between the user and tool.
- Security configuration scenarios
  Check what security options need to be enabled on the BigFix server and the BigFix Inventory server to achieve each of the supported security scenarios.
- Configuring database connection encryption
  You can encrypt the connection between BigFix Inventory server and the BigFix Inventory database. Encryption is established between BigFix Inventory server and the database engine using a JDBC driver. You can encrypt the connection while upgrading the server.
- Configuring secure communication
  To ensure secure communication, BigFix Inventory uses public key cryptography, which is based on algorithms that use two separate keys, a private key and a public key. This key pair is used to encrypt and decrypt communication
- Authenticating users with LDAP
  BigFix Inventory supports authentication through a Lightweight Directory Access Protocol (LDAP) server. To use this feature, you must configure the BigFix Inventory server.
- Configuring passwords and encryption mechanisms
  To improve the application security, define a security policy for user passwords. You can also configure passwords and encryption mechanisms for the keystore in which the passwords are stored, and the BigFix Inventory database.
- Configuring user account lockout
  Available from 9.2.8. By default, user account is locked for 5 minutes after the user attempts to log in to BigFix Inventory more than 10 times within 5 minutes. You can change the default settings or disable the user account lockout.
- Configuring VM Manager tool to accept trusted VM manager certificates
  By default, the VM Manager tool accepts all VM manager certificates regardless of whether they are trusted or not. You can change the default behavior to ensure that only trusted certificates are accepted by the VM Manager tool.
- Configuring and enabling single sign-on (SSO)
  Available from 9.2.1. You can now use the two-factor authentication and use SSO to log on to BigFix Inventory and maintain login consistency with other applications in the enterprise. You can configure BigFix Inventory to use two-factor authentication with single sign-on based either on the exchange of Security Assertion Markup Language (SAML 2.0) token.
  - Creating single sign-on users
    To be able to enable single sign-on, you must create first at least one users that can later log in toBigFix Inventory. Note that once single sign-on is enabled, no other authentication methods are available.
  - Configuring single sign-on based on Security Assertion Markup Language token
    You can configure single sign-on based on a Security Access Markup Language (SAML 2.0) token and an external Identity Provider server.
    - Step 1: Configuring BigFix Inventory in Identity Provider for single sign-on
      As the first step, configure BigFix Inventory server in the Identity Provider.
    - Step 2: Configuring single sign-on settings in BigFix Inventory
      Configure single sign-on support in BigFix Inventory. At the point, BigFix Inventory Server has activated the SAML endpoint but the endpoint is not protected with single sing-on. After performing the steps mentioned below, you will be able to check the URLs that is used by BigFix Inventory Server through the SAML metadata.
    - Step 3: Finalizing BigFix Inventory configuration in Identity Provider
      As the second step, configure BigFix Inventory server in the Identity Provider.
    - Step 3: Enabling the SAML single sign-on
      As the final step, enable single sign-on in the BigFix Inventory web user interface.
    - Disabling single sing-on manually
  - Troubleshooting single sign-on (SSO)
    This section provides troubleshooting procedure for the single sign-on setup in BigFix Inventory.
  - Advanced single sing-on configuration
    This section covers additional configuration options available when setting up single sign-on.
- Relays
  Relays lighten both upstream and downstream burdens on the server. Rather than communicating directly with a server, clients can instead be instructed to communicate with designated relays, considerably reducing both server load and client and server network traffic.
- Hardening network security configuration: restrict incoming requests to selected HOSTS
  Protect BigFix Inventory deployment by specifying allowed HOST in the HTTP header when connecting.
Troubleshooting and support
Learn about solutions to common problems that might arise when you use BigFix Inventory BigFix Inventory and how to find logs and trace files that help you troubleshoot those problems.
Tuning performance
Learn how to plan the infrastructure of BigFix Inventory and to configure the application server to achieve optimal performance. The following guidelines are applicable in big data environments as well as in smaller environments that are running on low-performance hardware.
Integrating with REST API
External systems integration is one of the key features of BigFix Inventory. Business logic is enabled for integration and interfaces are provided for common integration points.
Glossary
Guide in PDF format
DataFlow ServiceNow Integration
Service Graph Connector Integration

Disabling single sing-on manually

About this task

In case of issue with the single sign-on there is possible to revert back to previous user authentication methods by modifing the web.xml and server.xml, correct the configuration and repeat the enablement.

Procedure

Stop the BigFix Inventory server.

Make changes in the web.xml file that is in the following directory.

bfi_install_dir/wlp/usr/servers/server1/apps/tema.war/WEB-INF
bfi_install_dir\wlp\usr\servers\server1\apps\tema.war\WEB-INF

If there is available backup web.xml.timestamp.backup use it to restore the web.xml.

Ensure that the value of the <config.sso.enabled> parameter to false.

<context-param>
    <param-name>config.sso.enabled</param-name>
    <param-value>false</param-value>
</context-param>

Remove the <security-constraint> element.

<security-constraint>
	<display-name>TemaSSOAuthenticated</display-name>
	<web-resource-collection>
 		<web-resource-name>index</web-resource-name>
		<url-pattern>/</url-pattern>
...
		<url-pattern>/help/*</url-pattern>
	</web-resource-collection>
	<auth-constraint>
		<role-name>TemaSSOAuthenticated</role-name>
	</auth-constraint>
	<user-data-constraint>
		<transport-guarantee>CONFIDENTIAL</transport-guarantee>
	</user-data-constraint>
</security-constraint>

Steps b and c are sufficent modification of web.xml

Make changes in the server.xml file that is in the following directory.

bfi_install_dir/wlp/usr/servers/server1
bfi_install_dir\wlp\usr\servers\server1

Remove the <application-bnd> element that is inside of the <application> element.

<application autoStart='true' location="tema.war" context-root="/" name="tema" type="war">
  <classloader commonLibraryRef='tema,DatabaseLib' delegation='parentLast'/>
    <application-bnd>
      <security-role id="TemaSSOAuthenticated" name="TemaSSOAuthenticated">
        <special-subject type="ALL_AUTHENTICATED_USERS" />
      </security-role>
    </application-bnd>
</application>

Start the BigFix Inventory server.
Above steps does not remove SAML feature. They are intended to only allow to login to BigFix Inventory Server using previous authentication method. To completry disable SAML there is also needed to remove in server.xml <feature>samlWeb-2.0</feature> element that is inside the <featureManager> element, the <samlWebSso20> element if it exists and keyStore elements with id="SPKeyStore" and id="IdPKeyStore".

To add feedback about this topic, select the following checkbox:

By clicking this box, you acknowledge that you are NOT a U.S. Federal Government employee or agency, nor are you submitting information with respect to or on behalf of one. HCL provides software and services to U.S. Federal Government customers through its partners Four, Inc. Contact this team at https://hcltechsw.com/resources/us-government-contact. Do not include any personal data in this Comment box. Note: To report a problem or question about the product software, do not use this form. Instead, go to the HCL Software Support site. Personal data should not be shared in this comment box. See our Privacy Statement to understand how personal data is used.