How to correct SAML setup once enabled

Jean_Philippe 2015-12-11 16:29:13 UTC #1

Hi, we followed the SAML2 setup instructions from the PDF but our entrypoint URL was mistyped. We’re now unable to login on the WEBUI and neither on the WEBreports. We tried to update the SAML_SETTINGS from the DB, but because of the signing security, the server won’t start if anything changed. How can we update the EntryPoint?
Thanks for your help

9.2 Patch 6 for IBM BigFix Platform

steve 2015-12-11 16:56:03 UTC #2

See the attached document on this page. It includes the special URL you can use to login via local account and then update the SAML config. You will need to go to https://webui/login and then go to https://webui/administrator to correct or disable the config.

Jean_Philippe 2015-12-14 11:45:59 UTC #3

Hi Steve,

Thanks for your quick answer. I’ve been able to enter the webui,go to the admin page, and disable the saml integration. Problem solved!

MatthiasW 2023-11-16 10:07:39 UTC #4

I’m struggling with similar issue but for BigFix Compliance. I did not find a hint about a special URL in documentation https://help.hcltechsw.com/bigfix/10.0/compliance/Compliance/SCA_Users_Guide/t_sso.html

Any help would be appriciated.

ageorgiev 2023-11-16 11:13:26 UTC #5

it’s been a while since I dealt with it and can’t really say that I recall much but I can tell you that there was relatively recent change to SAML configs in BF within the last year or so) where they started enforcing that “trusted issuer” for the specific SAML authenticator needs to match what the vendor sends back and if they do not it rejects the login attempt (used to be you can put anything and didn’t matter cause it wasn’t matching the value). I had to get one of our authentication experts, who guided me to install SAML tracer add-on the browser, and that allowed us to track down the response sent back from authenticator and compare it to what the config had, to match the expected value vs the one in reality. Also, the “trusted issuer” is vastly different to what it would be depending what kind of authenticator service you are using (had it initially working with ADFS and then migrated to Okta, the two were completely different). Hope this helps you.

gus 2023-11-16 14:58:17 UTC #6

Hi @MatthiasW, are you wondering how to bypass SAML authentication in BigFix Compliance and authenticate with a local username / password or ? If that is the case, BigFix Compliance does not have the ability to bypass SAML authentication once it has been implemented. If you would like to disable SAML authentication in BigFix Compliance, the following documentation will provide that information:
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0088799
If you do decide to disable SAML authentication, please have an admin user configured with authentication mode set to either Directory Server or Password so you can login when you restart the server.
-Gus

MatthiasW 2023-11-17 05:10:23 UTC #7

Hi @gus: indeed, I’ve looked for an easier way to bypass SAML for a local (emergency) user. The workaround based on KB article works fine. In my opininion an easier way similar to other BigFix applications would be better. I will look for an idea/RFE.
Thanks for your fast reply and explanation.

@ageorgiev: SAML tracer sounds interesting, I will keep that in mind in case of running in issues.