After you configure federated SAML single sign-on (SSO) with Broadcom Okta for one or more Broadcom services, administrators suddenly lose administrative access to their other Broadcom services.

Broadcom Okta and SAML or a SAML-based IdP are configured on two or more of the following services:

• AppNeta
• Broadcom Support Portal
• Cloud Secure Web Gateway (Cloud SWG)/Web Security Service (WSS)
• Cloud Workload Assurance (CWA)
• Cloud Workload Protection (CWP)
• CloudSOC Cloud Access Security Broker (CASB)
• Cloud Management Portal (CMP)
• Email Security.cloud
• Integrated Cyber Defense Manager (ICDm)  

Note: Broadcom is aware of this issue affecting the services in this list. If other affected services are identified, this KB article will be updated.

When you configure federated SSO through Broadcom Okta, all services that support SSO through Broadcom Okta will use your configured IdP.  This change can cause the following unexpected behaviors:

• If administrators in the other services do not have accounts in your IdP,  they are denied access to their services even if they had Broadcom Okta access previously. 
• If administrators have accounts in the IdP but not in the other services, they authenticate successfully with Okta but cannot log in to the services.

For example, the following scenarios result in a mismatch between the administrators in the IdP and in Broadcom services:

• During the ICDm IdP setup, you reconfigure the IdP to include only the users required for ICDm. If the ICDm user list is a subset of the user list for previously configured services, Okta no longer has the complete user list. Administrators that are not included in the ICDm list cannot log in to services.
• An administrator has an account (with email address [email protected]) in Email Security.cloud with Okta SSO. The administrator also has an account in AppNeta, but with a different email address ([email protected]). If you enable Okta SSO through AppNeta, the identity associated with the first email account is not included in the AppNeta user list. As a result, the administrator cannot log in to services.

Administrators must have valid accounts in the IdP and in the appropriate services. Compare the list of administrators in the IdP with the list of administrators in the services. Then, ensure that all administrators have valid accounts in the IdP and in the services.

Complete the following steps in the specified order:

1. Ensure that the IdP includes all of the administrators required for all of the Broadcom services that federate to Broadcom Okta. Refer to the IdP-specific documentation for instructions.  
2. Add all required administrators to the appropriate Broadcom services. For service-specific instructions, refer to the following table, “Add Administrators to a Broadcom Service”.

Important Notes

• Ensure that each administrator's accounts in the IdP and in all Broadcom services are defined using the same email address.
• Ensure that all administrators have appropriate permissions to access the services.
• Keep the accounts in the Broadcom services and in the IdP in sync. If you add or remove accounts either in a service or in the IdP, replicate the changes to the other system. For example, if you added administrators to Cloud SWG, add them to the IdP. If you add administrators to the IdP, add them to the service(s) that they are authorized to access. 

Services that support group-based access control: Whenever you synchronize user lists between the IdP and services, contact Broadcom Support to ensure that the user record is updated in Okta and in all services. Otherwise, the sync can result in users with multiple identities in Okta and mismatched names in services, which will cause access issues.

Add Administrators to a Broadcom Service