Clarity SaaS Broadcom Okta URL Update

book

Article ID: 208177

calendar_today

Updated On:

Products

Clarity PPM SaaS

Issue/Introduction

Summary

Broadcom is standardizing the authentication URL for Broadcom platforms from avagoext.okta.com to login.broadcom.com. The primary goal for enabling custom URL in the avagoext.okta.com tenant is to provide the ability to customize the Okta hosted login page and change to a Broadcom branding. Broadcom is working to ensure that the migration is as seamless as possible. There are a few simple actions that will be required from our customers due to this standardization. Below you will find instructions on how to update your configuration with the new URL (login.broadcom.com) and the impact if you do not take the appropriate action.

This knowledge article provides generic guidelines on changing the Assertion Consumer Service (ACS) URL. Please consult your Identity Provider (IdP) vendor documentation or Single-Sign On (SS)/IT team for detailed steps needed to modify the ACS URL.

When do you need to make the change?

The change is required on or after Sunday March 14th 2021. 

The change can be performed in a sandbox environment (your DEV or TEST environment) first before promoting to Production.

Impact of not making the change?

Failure to test and make any required configuration changes in response to the Federated SSO user authentication may result in some or all of your Clarity SaaS users from being able to access the service. Any such interruptions to service access will not be considered for your uptime SLA

Customers that do not make the change to their ACS URL will notice the following: 

Your end users will continue to be able to access the Clarity SaaS service till 60 days since March 13, 2021 after which they can experience service disruption. Access to other services and Broadcom resources, such as Broadcom Support, will be disrupted after March 13, 2021 until the change is made.

Customers can always continue to contact Broadcom support

Cause

Change Details for Customer IDP Configuration

The only change needed on customer IDP is to add a new Assertion Consumer Service (ACS) URL to the existing ACS list or update the Assertion Consumer Service (ACS) URL. ACS is the Broadcom OKTA Clarity service provider's endpoint (URL) that is responsible for receiving and parsing a SAML assertion from customer IDP. Depending on the IDP vendor customer is using, the ACS URL field could be labeled as Single Sign On URL, or Reply URL.

Step by Step instruction to update ACS URL

The following steps need to be performed by SSO Administrators.

  1. Access IDP SSO Configuration.
  2. Locate the field that specified the ACS URL. ACS URL has following format where the highlighted field is the Hostname. The value at the end of URL in italics is an identifier value. The values for your environment will be unique to your environment and will be a different value than what is shown in this example.

https://avagoext.okta.com/sso/saml2/0oa1dqivx15iBsjgp1d8

  1. Make the change using one of the following two options:
    1. If IDP permits multiple ACS URLs, add a new ACS URL with same value as existing ACS URL. Then modify the newly added ACS URL by just replacing hostname part of ACS URL https://avagoext.okta.com with https://login.broadcom.com

 After change the updated field should look like following for this example SP ID. Your IDP screen might differ but the two ACS URLs should be displayed in the list. Please note that only hostname is the only difference in these two ACS URLs.

Note: Do not delete existing ACS URL

           b. If IDP does not permit adding multiple ACS URLs, Replace https://avagoext.okta.com with https://login.broadcom.com in the ACS URL field.

         After change the updated field should look like following for this example SP ID: https://login.broadcom.com/sso/saml2/0oa1dqivx15iBsjgp1d8

  1. Do not make changes any other field.
  2. Validate the SSO by accessing the PPM URL (Ex: https://cppm####.ondemand.ca.com ). User should land on Clarity provided user is already setup in Clarity.
  3. If you see an error similar to following, make sure the ACS URL is setup correctly.

  1. If there is a problem accessing Clarity after the change, reverse the change and contact Broadcom Support

Environment

All Broadcom GCP SaaS Customers using Federation Single Sign On 

Resolution

Vendor Specific Information

This informational is intended to provide a generic, non-exhaustive guideline on changing ACS URL for your specific IDP vendor. Please consult your IDP vendor documentation for detailed steps needs to add or modify the ACS URL.

Vendors:

 

Okta

  1. Access the Application Setup for Clarity PPM
  2. Edit the Application and update the Hostname in the field as described in previous section.

  1. Save the Application and validate end user access to Clarity
  2. if there is a problem accessing Clarity after the change, reverse the change and contact Broadcom support

 

Microsoft Azure AD

  1. Login to Azure Portal and click on Azure Active Directory
  2. Click on Enterprise Applications.
  3. Select the SAML Application setup for Clarity Access
  4. Configuring the newly added application for SAML Single Sign On. (Navigate to Home → Azure Active Directory → Enterprise Applications → Clarity App that is Setup)
  5. Click on Single Sign-on
  6. Select SAML
  7. Under Basic SAML Configuration click on Edit.

  1. Locate the “Reply URL (Assertion Consumer Service URL)” setting

  1. Copy the existing ACS URL. Paste the value into the empty ACS URL entry below it.

Note: Do not delete existing ACS URL

  1. Modify the newly added ACS URL by just replacing hostname part of ACS URL https://avagoext.okta.com with https://login.broadcom.com. Set the new URL as default URL.

  1. Save the Application and validate end user access to Clarity
  2. If you see following error when trying to access Clarity URL, check your configuration to make sure you added a new ACS URL instead of updating existing one.

  1. If there is a problem accessing Clarity after the change, reverse the change and contact Broadcom support

PingFederate

  1. Login to your Ping Federate user admin dashboard
  2. Select the Identity Provider that was setup to access Clarity
  3. Add a new ACS URL to the list by copying the existing Endpoint URL.

Note: Do not delete existing ACS URL

  1. Modify the newly added ACS URL by just replacing hostname part of ACS URL https://avagoext.okta.com with https://login.broadcom.com. Set the new URL as default URL. In the Endpoint URL, make sure to provide full hostname for both ACS URLs instead of a relative path as we have two different base URLs for ACS.

  1. Save the Configuration and validate end user access to Clarity
  2. If there is a problem accessing Clarity after the change, reverse the change and contact Broadcom Support

Active Directory Federation Services

  1. Open the AD FS Management Console
  2. Modify the Relying Party Trust (RPT) that was setup for Clarity access

    3. Open the "End Points" tab. Copy the existing SAML ACS URL that starts with https://avagoext.okta.com/sso/saml..

  1. Click on "Add SAML" to add a new SAML ACS end point.
  2. Paste the saved ACS URL from step # 3 into “Trusted URL”. Set the index to 1. Set the binding to POST.  Modify the newly added ACS URL by just replacing hostname part of ACS URL https://avagoext.okta.com with https://login.broadcom.com. 

      6. Press “OK” to see the list of ACS URLs. There should be two ACS URLs listed

     7. Save the Configuration and validate end user access to Clarity

    8. If there is a problem accessing Clarity after the change, reverse the change and contact Broadcom Support

SecureAuth

  1. Login to SecureAuth IdP Web Admin
  2. Select the SSO Configuration that was setup to access Clarity
  3. Scroll down to the ‘SAML Assertion/WS Federation’ section and make changes to the following fields.
  4. Update the “SAML Consumer URL” as described in previous section
  5. Update the “SAML Recipient” field to be same as “SAML Consumer URL”. (Note: Set to the same value as designated for the ‘SAML Consumer URL’field.)

  1. Save the Configuration and validate end user access to Clarity
  2. If there is a problem accessing Clarity after the change, reverse the change and contact Broadcom Support

RSA SecurID

  1. Sign into the RSA Cloud Administration Console and browse to Authentication Clients.
  2. From the Relying Party Catalog, select the Service Provider SAML configuration that was setup for Clarity access
  3. under the Service Provider Metadata section make changes to Assertion Consumer Service (ACS) URL as described in previous section
  4. Save the Configuration and validate end user access to Clarity
  5. If there is a problem accessing Clarity after the change, reverse the change and contact Broadcom support ticket

Layer7 SiteMinder

  1. Sign in as a Layer7 SiteMinder administrator.
  2. Go to Federation -> Partnership Federation -> Entities.

  1. Select the Remote entity that was setup for Clarity access partnership and access the modify menu.

  1. Add a new ACS URL to the “Remote Assertion Consumer Service URLs” list by copying the existing ACS URL.

Note: Do not delete existing ACS URL

  1. Modify the newly added ACS URL by just replacing hostname part of ACS URL https://avagoext.okta.com with https://login.broadcom.com. Set the new URL as default URL.

Note: The new ACS URL will be same as existing one other than the host name part should be changed from https://avagoext.okta.com  to https://login.broadcom.com

  1. Save the Configuration
  2. Go to Federation -> Partnership Federation -> Partnerships
  3. Update the partnership to reflect the changes made in Remote Entity into Partnership

  1. Validate end user access to Clarity
  2. If there is a problem accessing Clarity after the change, reverse the change and contact Broadcom support ticket.

OneLogin

  1. Log in to the OneLogin dashboard
  2. Click Apps
  3. Locate and open the application that is integrated with Broadcom.
  4. Go to the SSO
  5. Update the ACS (Consumer) URLas described in previous section.
  6. Ensure all instances of avagoext.okta.com in the configuration are updated to login.broadcom.com (this may include the Login URL).
  7. Save the configuration.
  8. If there is a problem accessing Clarity after the change, reverse the change and contact Broadcom Support 

Keycloak

  1. Log in to your Keycloak admin console.
  2. Click Clients from the left menu.
  3. Locate the Client ID that is integrated with Broadcom and to the right, click Edit under Actions.
  4. Update the Client SAML Endpoint URL as described in previous section
  5. Ensure all instances of avagoext.okta.com in the configuration are updated to login.broadcom.com (this may include the Root URL, Base URL or Master SAML Processing URL).
  6. Save the configuration.
  7. If there is a problem accessing Clarity after the change, reverse the change and contact Broadcom Support

Additional Information

Support site access to federated users

If login to Broadcom support site prompts a user for credentials after the user is logged to Clarity PPM via federated authentication, following steps can be taken to access support site.

  1. Login to Clarity using any supported browser.
  2. Open Broadcom SSO Dashboard in another tab of same browser
  3. Click on “Broadcom Support” tile to access Broadcom support site

Attachments