Clarity SaaS Broadcom Okta Clarity Integration

book

Article ID: 208177

calendar_today

Updated On:

Products

Clarity PPM SaaS

Issue/Introduction

 

Title

Planned Change to Broadcom OKTA Authentication URL

Description

This document describes the planned change by Broadcom to OKTA URL and what steps a customer has to take to update the identity provider (IdP) configuration on the customer network

Scope

All IDPs setup to access Broadcom GCP SaaS Clarity

Summary

Broadcom is standardizing the authentication URL for Broadcom platforms from avagoext.okta.com to login.broadcom.com. The primary goal for enabling custom URL in the avagoext.okta.com tenant is to provide the ability to customize the Okta hosted login page and change to a Broadcom branding. Broadcom is working to ensure that the migration is as seamless as possible. There are a few simple actions that will be required from our customers due to this standardization. Below you will find instructions on how to update your configuration with the new URL (login.broadcom.com) and the impact if you do not take the appropriate action.

The steps covered in this article can only be performed March 13th, 2021 or after.

The impact is not to Clarity immediately, but to other Broadcom applications, such as the Support Portal and Documentation sites.

Please see below for the full impact.

 

 

 

Cause

Change Details for Customer IDP Configuration

The only change needed on customer IDP is to update the Assertion Consumer Service (ACS) URL. ACS is the Broadcom OKTA Clarity service provider's endpoint (URL) that is responsible for receiving and parsing a SAML assertion from customer IDP. Depending on the IDP vendor customer is using, the ACS URL field could be labeled as Single Sign On URL.

Step by Step instruction to update ACS URL

The following steps need to be performed by SSO Administrators.

1. Access IDP SSO Configuration. 

2. Locate the field that specified the ACS URL. ACS URL has following format where the highlighted field is the Hostname. The value at the end of URL in italics is an identifier value. The values for your environment will be unique to your environment and will be a different value than what is shown in this example.

https://avagoext.okta.com/sso/saml2/0oa1dqivx15iBsjgp1d8

           3. Replace https://avagoext.okta.com with https://login.broadcom.com in the above field. After change the updated field should look like following for this example SP ID:

https://login.broadcom.com/sso/saml2/0oa1dqivx15iBsjgp1d8

          4. Do not make changes to any other fields.

          5. Validate the SSO by accessing the PPM URL (Ex: https://cppm####.ondemand.ca.com ). User should land on Clarity provided user is already setup in Clarity.

         6. If you see an error similar to following, make sure the ACS URL is setup correctly. Refer to resolution information section for vendor specific information to change ACS URL

 

Environment

All Broadcom GCP SaaS Customers using Federation Single Sign On 

Resolution

Vendor Specific Information

This information is intended to provide a generic, non-exhaustive guideline on changing ACS URL for your specific IDP vendor. Please consult your IDP vendor documentation for detailed steps needed to modify the ACS URL.

Okta

1. Access the Application Setup for Clarity PPM

2. Edit the Application and update the Hostname in the field as described in previous section.

3. Save the Application and validate end user access to Clarity

Microsoft Azure AD

1. Login to Azure Portal and click on Azure Active Directory

2. Click on Enterprise Applications.

3. Select the SAML Application setup for Clarity Access  (Navigate to Home → Azure Active Directory → Enterprise Applications → Clarity App that is Setup already)

4. Click on Single Sign-on

5. Select SAML

6. Under Basic SAML Configuration click on Edit and Modify “Reply URL (Assertion Consumer Service URL) as described in previous section.

7. Save the Application and validate end user access to Clarity

PingFederate

1. Login to your Ping Federate user admin dashboard

2. Select the Identity Provider that was setup to access Clarity

3. Edit the ACS URL in the “Endpoint URL” field as described in previous section.

4. Save the Configuration and validate end user access to Clarity

Active Directory Federation Services

1. Open the AD FS Management Console

2. Modify the  Relying Party Trust (RPT) that was setup for Clarity access

3. Edit the ACS URL in the “Relying party SAML SSO service URL” field as described in previous section.

4. Save the Configuration and validate end user access to Clarity

SecureAuth

1. Login to SecureAuth IdP Web Admin

2. Select the SSO Configuration that was setup to access Clarity

3. Scroll down to the ‘SAML Assertion/WS Federation’ section and make changes to the following fields.

4. Update the “SAML Consumer URL” as described in previous section

5. Update the “SAML Recipient” field to be same as “SAML Consumer URL”. (Note: Set to the same value as designated for the ‘SAML Consumer URL’field.)

6. Save the Configuration and validate end user access to Clarity

RSA SecurID

1. Sign into the RSA Cloud Administration Console and browse to Authentication Clients.

2. From the Relying Party Catalog, select the Service Provider SAML configuration that was setup for Clarity access

3. Under the Service Provider Metadata section make changes to Assertion Consumer Service (ACS) URL as described in previous section

4. Save the Configuration and validate end user access to Clarity

Layer7 SiteMinder

1. Sign in as a Layer7 SiteMinder administrator.

2. Click on the Entities link.

3. Select the entity that was setup for Clarity access

4. Click the Federation tab

5. Make change to Assertion Consumer Service (ACS) URL as described in previous section

6. Save the Configuration and validate end user access to Clarity

OneLogin

1. Log in to the OneLogin dashboard

2. Click Apps

3. Locate and open the application that is integrated with Broadcom.

4. Go to the SSO tab.

5. Update the ACS (Consumer) URL as described in previous section.

6. Ensure all instances of avagoext.okta.com in the configuration are updated to login.broadcom.com (this may include the Login URL).

7. Save the configuration.

Keycloak

1. Log in to your Keycloak admin console.

2. Click Clients from the left menu.

3. Locate the Client ID that is integrated with Broadcom and to the right, click Edit under Actions.

4. Update the Client SAML Endpoint URL as described in previous section

5. Ensure all instances of avagoext.okta.com in the configuration are updated to login.broadcom.com (this may include the Root URL, Base URL or Master SAML Processing URL).

6. Save the configuration.

Additional Information

Impact of not making the change?

Customers that do not make the change to their ACS URL will notice the following:

  • No impact to accessing Clarity SaaS Services. Your end users will continue to be able to access the Clarity SaaS service for 60 days after which they can experience service disruption.
  • Access to other services and Broadcom resources, such as Broadcom Support, will be disrupted after March 13th 2021 until the change is made.
  • Customers can always continue to contact Broadcom support at 1-800-225-5224.

Impact if Configuration is not updated

If a customer does not update the ACS URL, then users cannot access additional downstream applications after they have successfully established a federated SSO session with Clarity.

Current Working Scenario 

1. User access Clarity URL (Ex: https://cppmxxxxxx.ondemand.ca.com/ )

2. User is redirected to Broadcom OKTA Service Provider setup for customer if there is no established clarity session. 

3. Broadcom OKTA redirects to customer IDP

4. User authenticates on customer IDP

5. User lands on Clarity PPM (Using the Relaystate sent from Clarity)

6. Now user has both OKTA and PPM Session cookies.

7. User accesses support portal in new tab. (Ex: https://support.broadcom.com/user )

9. User lands on support portal if there is a valid account that matches OKTA and PPM username.

 

Post Change Scenario Walkthrough without customer changing URL 

1. Customer did not change ACS URL

2. User access Clarity URL (Ex: https://cppmxxxxxx.ondemand.ca.com/ )

3. User is redirected to Broadcom OKTA Service Provider setup for customer if there is no established clarity session. 

4. Broadcom OKTA redirects to customer IDP

5. User authenticates on customer IDP

6. User lands on Clarity PPM (Using the Relaystate sent from Clarity)

7. Now user has both OKTA and PPM Session cookies.

8. User accesses support portal in new tab. (https://support.broadcom.com/user )

9. User is redirected to new URL for OKTA (Support site is updated with new URL). 

https://login.broadcom.com/login/login.htm?fromURI=/oauth2/v1/authorize/redirect?okta_key=l3_aFxV-Jaip_O0puYuuomWRXgJ2kp6CJqMw2lDDD4I

10. User is prompted for login

 

11. Once user enters username, user encounters password prompt.

Note: For federated users, there is no local password in OKTA. At this point user cannot proceed further. If users tries to access with a password multiple times, the account will be locked out.



Attachments