Broadcom Okta URL update for Clarity SaaS

book

Article ID: 208177

calendar_today

Updated On:

Products

Clarity PPM SaaS

Issue/Introduction

Broadcom is standardizing the authentication URL for Broadcom platforms from avagoext.okta.com to login.broadcom.com. The primary goal for enabling custom URL in the avagoext.okta.com tenant is to provide the ability to customize the Okta hosted login page and change to a Broadcom branding.

Broadcom is working to ensure that the migration is as seamless as possible. These guidelines help you update your configuration with the new URL (login.broadcom.com) and explain the impact if you do not take the appropriate action.

CAUTION: This article provides generic guidelines on changing the Assertion Consumer Service (ACS) URL. Consult your Identity Provider (IdP) vendor documentation or Single-Sign On (SSO)/IT team for detailed steps needed to modify the ACS URL.

When do you need to make the change?

  • The change is required on or after Sunday, March 14th, 2021. 
  • The change can be performed in a sandbox environment (your DEV or TEST environment) before moving to production.

Impact of not making the change?

Failure to test and make any required configuration changes in response to the Federated SSO user authentication updates detailed in this notice and referenced knowledge article may result in some or all of your Clarity SaaS users from being able to access the service. Any such interruptions to service access will not be considered for your uptime SLA

Customers that do not make the change to their ACS URL will notice the following: 

Your end-users will continue to be able to access the Clarity SaaS service for 60 days after March 13, 2021, after which they can experience service disruption. Access to other services and Broadcom resources, such as Broadcom Support, will be disrupted after March 13, 2021, until the change is made.

Customers can always continue to contact Broadcom Support.

Cause

Change details for IdP configurations

The only change needed on your IdP is to update the Assertion Consumer Service (ACS) URL. ACS is the Broadcom OKTA Clarity service provider's endpoint (URL) that is responsible for receiving and parsing a SAML assertion from customer IdP.

Depending on the IdP vendor that you are using, the ACS URL field could be labeled as Single Sign-On URL or Reply URL.

Updating ACS URLs

Note: These steps should be performed by SSO Administrators.

  1. Access IdP SSO Configuration.
  2. Locate the field that specified the ACS URL. ACS URL has the following format where the highlighted field is the Hostname. The value at the end of URL in italics is an identifier value. The values for your environment will be unique to your environment and will be a different value than what is shown in this example.

    https://avagoext.okta.com/sso/saml2/0oa1dqivx15iBsjgp1d8
  1. Replace https://avagoext.okta.com with https://login.broadcom.com in the ACS URL field.

         After the change, the updated field should look like following for this example SP ID: https://login.broadcom.com/sso/saml2/0oa1dqivx15iBsjgp1d8

  1. Do not make changes any other field.
  2. Validate the SSO by accessing the PPM URL (Ex: https://cppm####.ondemand.ca.com). User should land on Clarity provided user is already setup in Clarity.
  3. If you see an error similar to following, make sure the ACS URL is setup correctly.



  4. If there is a problem accessing Clarity after the change, reverse the change and contact Broadcom Support

Environment

All Broadcom GCP SaaS customers using Federation Single Sign-On 

Resolution

This information is intended to provide a generic, non-exhaustive guideline on changing ACS URLs for your specific IdP vendor. Consult your IdP vendor documentation for detailed steps on how to add or modify the ACS URL.

Okta

  1. Access the Application Setup for Clarity PPM.
  2. Edit the Application and update the hostname in the field as described in previous section.



  3. Save the Application and validate end-user access to Clarity.
  4. if there is a problem accessing Clarity after the change, reverse the change and contact Broadcom Support.

 

Microsoft Azure AD

  1. Login to Azure Portal and click on Azure Active Directory.
  2. Click on Enterprise Applications.
  3. Select the SAML Application setup for Clarity Access.
  4. Click on Single Sign-on.
  5. Select SAML.
  6. Under Basic SAML Configuration, click Edit.



  7. Locate the “Reply URL (Assertion Consumer Service URL)” setting.
    1. If there are two ACS URLs with host names as avagoext.okta.com and  login.broadcom.com, remove the ACS URL with avagoext.okta.com
    2. If there is only 1 ACS URL update the hostname of ACS URL by just replacing hostname part of ACS URL, https://avagoext.okta.com, with https://login.broadcom.com



  8. Apply the changes and test the SSO connection.

If there is a problem accessing Clarity after the change, reverse the change and contact Broadcom Support

PingFederate

  1. Log in to your Ping Federate user admin dashboard.
  2. Select the Identity Provider that was set up to access Clarity.
  3. Add a new ACS URL to the list by copying the existing Endpoint URL.

    Note:
    Do not delete existing ACS URL

  4. Modify the newly added ACS URL by just replacing the hostname part of ACS URL, https://avagoext.okta.com, with https://login.broadcom.com. Set the new URL as default URL. In the Endpoint URL, make sure to provide full hostname for both ACS URLs instead of a relative path as we have two different base URLs for ACS.



  5. Save the Configuration and validate end-user access to Clarity.

If there is a problem accessing Clarity after the change, reverse the change and contact Broadcom Support.

Active Directory Federation Services

  1. Open the AD FS Management Console
  2. Modify the Relying Party Trust (RPT) that was set up for Clarity access.



  3. In the Endpoints tab, copy the existing SAML ACS URL that starts with https://avagoext.okta.com/sso/saml.



  4. Click on "Add SAML" to add a new SAML ACS endpoint.
  5. Paste the saved ACS URL from step # 3 into “Trusted URL”. Set the index to 1. Set the binding to POST. Modify the newly added ACS URL by just replacing the hostname part of ACS URL, https://avagoext.okta.com,with https://login.broadcom.com.



  6. Click OK to see the list of ACS URLs. There should be two ACS URLs listed.



  7. Save the Configuration and validate end-user access to Clarity.

If there is a problem accessing Clarity after the change, reverse the change and contact Broadcom Support.

SecureAuth

  1. Log in to SecureAuth IdP Web Admin.
  2. Select the SSO Configuration that was set up to access Clarity.
  3. Scroll down to the ‘SAML Assertion/WS Federation’ section and make changes to the following fields.
  4. Update the “SAML Consumer URL” as described in the previous section.
  5. Update the “SAML Recipient” field to be the same as “SAML Consumer URL”.

    Note: Set to the same value as designated for the ‘SAML Consumer URL’ field.



  6. Save the Configuration and validate end-user access to Clarity.
  7. If there is a problem accessing Clarity after the change, reverse the change and contact Broadcom Support.

RSA SecurID

  1. Sign in to the RSA Cloud Administration Console and browse to Authentication Clients.
  2. From the Relying Party Catalog, select the Service Provider SAML configuration that was set up for Clarity access.
  3. Under the Service Provider Metadata section, make changes to the Assertion Consumer Service (ACS) URL as described in the previous section.
  4. Save the Configuration and validate end-user access to Clarity.

If there is a problem accessing Clarity after the change, reverse the change and contact Broadcom Support.

Layer7 SiteMinder

  1. Sign in as a Layer7 SiteMinder administrator.
  2. Go to Federation > Partnership Federation > Entities.



  3. Select the Remote entity that was setup for Clarity access partnership and access the modify menu.



  4. Add a new ACS URL to the “Remote Assertion Consumer Service URLs” list by copying the existing ACS URL.

    Note: Do not delete existing ACS URL.



  5. Modify the newly added ACS URL by just replacing hostname part of ACS URL https://avagoext.okta.com with https://login.broadcom.com. Set the new URL as default URL.

    Note: The new ACS URL will be same as existing one other than the host name part should be changed from https://avagoext.okta.com  to https://login.broadcom.com.



  6. Save the Configuration.
  7. Go to Federation -> Partnership Federation -> Partnerships.
  8. Update the partnership to reflect the changes made in Remote Entity into Partnership.



  9. Validate end user access to Clarity.

If there is a problem accessing Clarity after the change, reverse the change and contact Broadcom Support.

OneLogin

  1. Log in to the OneLogin dashboard.
  2. Click Apps.
  3. Locate and open the application that is integrated with Broadcom.
  4. Go to the SSO.
  5. Update the ACS (Consumer) URLas described in previous section.
  6. Ensure all instances of avagoext.okta.com in the configuration are updated to login.broadcom.com (this may include the Login URL).
  7. Save the configuration.

If there is a problem accessing Clarity after the change, reverse the change and contact Broadcom Support.

Keycloak

  1. Log in to your Keycloak admin console.
  2. Click Clients from the left menu.
  3. Locate the Client ID that is integrated with Broadcom and to the right, click Edit under Actions.
  4. Update the Client SAML Endpoint URL as described in previous section
  5. Ensure all instances of avagoext.okta.com in the configuration are updated to login.broadcom.com (this may include the Root URL, Base URL or Master SAML Processing URL).
  6. Save the configuration.

If there is a problem accessing Clarity after the change, reverse the change and contact Broadcom Support.

Additional Information

Support site access to federated users

If login to Broadcom Support Site prompts a user for credentials after the user is logged to Clarity PPM via federated authentication, following steps can be taken to access support site.

  1. Login to Clarity using any supported browser.
  2. Open Broadcom Support Site in another tab of same browser

 

Attachments