Important single-sign-on considerations for WSS Portal and multi-tenant account feature

book

Article ID: 242800

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

In the May 27 2022 WSS release update the "WSS supports multiple-account switching" feature was enabled for public preview, per the following WSS release notes snippet.

The Public Preview documentation clearly cautions against logging on the WSS portal via multiple tabs. Despite different tenant configuration potentially being rendered in different tabs, only one tenant is active at a time and applying unintended changes to any of the configurations opened in separate browser tabs is a risk.

 

Cause

This caution is very important and necessary because the single sign-on process that is used to log the WSS administrator on the WSS portal (whether the user is authenticated by the Broadcom IDP or by their own Federated IDP) will apply to the all session in the running browser processes [as you would expect from a single-sign on platform].

This means that in effect, you cannot log into multiple WSS portal from the same browser at the same time. 

Environment

WSS Portal with multiple-account switching enabled.

Resolution

Addressed in WSS Portal update.

When a WSS administrator opens multiple browser tabs with configurations for different WSS tenants across the different tabs, a popup appears in as soon as an administered tenant is changed indicating that an account selection has changed with an additional message indicating:

"This view doesn't reflect the current account selection. It will reload to show Home dashboard for currently selected account."

Hitting refresh on this popup will change the currently assigned tenant to be the active tenant.

Attachments