Configure federated SSO with Broadcom Okta for Cloud Secure Web Gateway
search cancel

Configure federated SSO with Broadcom Okta for Cloud Secure Web Gateway

book

Article ID: 220578

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG Endpoint Security Endpoint Security Complete Cloud Workload Protection Advanced Web Security

Issue/Introduction

Symantec uses Okta for both Single Sign-on (SSO) and federation of user accounts. Okta is an identity provider (IDP) that offers user authentication as a service.

Cloud Secure Web Gateway customers can choose to register with Okta using any email address or to federate their corporate IDP with Okta.

Environment

  • Cloud Secure Web Gateway
  • Okta IdP
  • Any 3rd party IdP (Supports SAML 2.0)
  • ICDm Portal

Resolution

If you have access to ICDm Portal, you can configure federated SSO to enable administrators to sign in to multiple Broadcom services with one set of credentials.

See Configure federated SSO with Broadcom Okta for multiple services.

If you do not have access to ICDm Portal. Perform the following steps to ensure that all administrators can access their required services, with a minimal amount of downtime.

Configuring federation with a partner IDP:

Federation with a partner IDP must be initiated by opening a support ticket. When you raise a support ticket to request federation, you must provide:

  • Pre-register the Cloud SWG users with their respective roles in the Cloud SWG Portal. 
  • The email domain(s) for your users.
  • The IDP metadata XML file (available from the IDP).
  • Your IDP attribute mappings MUST match the standard attributes within Broadcom’s IDP:

    • FirstName
    • LastName
    • Email
    • UserId

  • Note:
    • Any Cloud SWG administrator using the federated email domain will get redirected to the IDP server to login. It is recommended that an email address in another domain be added to the Cloud SWG Administrator list in case the IDP server is down. Should that happen, the admin logging in with a non federated domain will still be able to do a local login.
    • To support multiple domains per Cloud SWG Subscription ID. IDP Administrators will need to create one IDP application per Cloud SWG User domain and provide us with the XML fragment for each IDP application containing metadata about the IDP.
    • It is possible to add the same administrator email addresses across multiple Cloud SWG tenants and login via the SAML IDP server. In this specific use case, the Cloud SWG admin will be presented with a list of Cloud SWG tenants she/he can administer and have to select the appropriate one.

Cloud SWG support provides the customer:

  • Cloud SWG support will provide you with these two (2) URL's to configure in your IDP: 
  1. ACS URL (Single sign on URL)
  2. Audience URI (Identifier Entity ID)

Note! Metadata from Cloud SWG is not needed.

Caveats 

  • Enforcing federation automatically enables federation among all Symantec Cloud products portals and services.
  • IDP-initiated login is currently not supported.

Product Name

Product Portal Link

Symantec Cloud Workload Protection

https://scwp.securitycloud.symantec.com/webportal/

Symantec Cloud Secure Web Gateway

https://portal.threatpulse.com/login.jsp

Email Security. cloud

https://identity.symanteccloud.com/Logon

Symantec CloudSOC CASB - EMEA

https://app.eu.elastica.net/

Symantec CloudSOC CASB - NAM

https://app.elastica.net/

Symantec ICDm

https://sep.securitycloud.symantec.com/v2/landing

Additional Information

Example IDP attributes mapping for Azure AD:

Okta attribute name IDP attribute name
Email http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
FirstName http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
LastName http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Groups http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
UserId http://schemas.microsoft.com/identity/claims/objectidentifier

 

Powered by Wolken Software