SAML 2.0
BigFix supports SAML 2.0. SAML authentication is an application login mechanism that uses a configured Identity Provider (IdP) to authenticate users.
While SAML authentication support is a feature of the BigFix platform, its configuration is implemented through the WebUI. The WebUI must be enabled in your deployment to take advantage of SAML. You can use the WebUI without setting up SAML, and use SAML without using the WebUI applications.
To activate SAML authentication without enabling the full set of WebUI components, start the WebUI in SAML-Only mode.
Enabling the WebUI in SAML-Only Mode
Starting the WebUI in SAML-Only mode allows you minimize resource consumption by activating the SAML authentication without enabling the full set of WebUI applications. In SAML-Only mode only those processes that are required to enable SAML authentication for the BigFix WebUI, the BigFix Web Reports, and the BigFix Console are created. All the other WebUI functions, other than the SAML Administration page, are unavailable.
To start the WebUI
in SAML-Only mode, use the computer setting _WebUIAppEnv_SAML_ONLY
and the SAML
Administration page. This is the procedure to follow, as BigFix Master Operator, to enable the WebUI
in SAML-Only mode:
- Open the BigFix Console, select the All Contents domain and then Computers. Click your WebUI server name and select Edit Computer Settings.
- If not yet listed, add the computer setting
_WebUIAppEnv_SAML_ONLY
to the Settings list and set its value to1
.- From Edit Settings, click Add to open the Add Custom Setting dialog.
- In the Setting Name field type:
_WebUIAppEnv_SAML_ONLY
- In the Setting Value field type:
1
- Click OK.
Note: If the setting_WebUIAppEnv_SAML_ONLY
is already present but set to0
(disabled), change its value to1
. - If not yet enabled, enable the WebUI as described in the Installation Procedure. If you already enabled the WebUI, restart the WebUI service to activate the changes.
- For SAML to work correctly when you are installing the WebUI on a separate remote server, you
must set the
_WebUI_AppServer_Hostname
key of the BigFix server computer to the hostname of the computer where the WebUI is installed. - Log in to the WebUI. Type your WebUI URL into a browser window to display the
/login
page. Once your credentials are authenticated, the SAML Administration page (/administrator
) displays. - On the SAML Administration page, enter your SAML configuration settings, and click
Enable.Note: To enable SAML authentication for Web Reports, Web Reports must be enabled for SSL. (This is required whether WebUI is in standard or SAML-Only mode.)
- Restart the BES Root Server, the Web Reports server, and the WebUI service to complete the process. SAML authentication is now enabled in SAML-Only mode for Web Reports, BigFix Console and WebUI.
After installing the WebUI, if you only want to switch from the full-WebUI to the SAML-Only
mode, set the _WebUIAppEnv_SAML_ONLY
setting to 1
, and then
restart the BES Root Server and the WebUI service to make the change operational.
_WebUiAppEnv_SAML_ONLY
is not present, or it is set to 0
,
SAML-Only mode is not enabled. For more information about the available settings affecting the WebUI configuration, see WebUI Server Settings for instructions.
Notes
- In SAML-Only mode, appending
/login
to your WebUI URL displays the standard WebUI login form. - Logging in to the WebUI (using either SAML or the
/login
page) redirects users to the SAML Administration page. On this page Master Operators can configure SAML settings. Non Master Operators will see the “403 (Forbidden)" message, and will not be able to view or edit the SAML configuration. - If a user attempts to manually access the
/
URL after logging in, they will see a blank WebUI dashboard. Only the Home and Log Out controls will be active. Logging out redirects the user to the Reauthenticate page, regardless of the method they used to log in. All other navigable WebUI URLs (except/
and the SAML Administration page) return an "Access Forbidden" message.