After you configure federated SAML single sign-on (SSO) with Broadcom Login for one or more Broadcom services, administrators suddenly lose administrative access to their other Broadcom services.

Broadcom Login and SAML or a SAML-based IdP are configured on two or more of the following services:

• AppNeta
• Broadcom Support Portal
• Cloud Secure Web Gateway (Cloud SWG)/Web Security Service (WSS)
• Cloud Workload Assurance (CWA)
• Cloud Workload Protection (CWP)
• CloudSOC Cloud Access Security Broker (CASB)
• Cloud Management Portal (CMP)
• Email Security.cloud
• Symantec Endpoint Security (SES)  

Note: Broadcom is aware of this issue affecting the services in this list. If other affected services are identified, this KB article will be updated.

When you configure federated SSO through Broadcom Login, all services that support SSO through Broadcom Login will use your configured IdP.  This change can cause the following unexpected behaviors:

• If administrators in the other services do not have accounts in your IdP,  they are denied access to their services even if they had Broadcom Login access previously. 
• If administrators have accounts in the IdP but not in the other services, they authenticate successfully with Login but cannot log in to the services.

For example, the following scenarios result in a mismatch between the administrators in the IdP and in Broadcom services:

• During the SES IdP setup, you reconfigure the IdP to include only the users required for SES. If the SES user list is a subset of the user list for previously configured services, Login no longer has the complete user list. Administrators that are not included in the SES list cannot log in to services.
• An administrator has an account (with email address [email protected]) in Email Security.cloud with Login SSO. The administrator also has an account in AppNeta, but with a different email address ([email protected]). If you enable Login SSO through AppNeta, the identity associated with the first email account is not included in the AppNeta user list. As a result, the administrator cannot log in to services.

Administrators must have valid accounts in the IdP and in the appropriate services. Compare the list of administrators in the IdP with the list of administrators in the services. Then, ensure that all administrators have valid accounts in the IdP and in the services.

Complete the following steps in the specified order:

1. Ensure that the IdP includes all of the administrators required for all of the Broadcom services that federate to Broadcom Login. Refer to the IdP-specific documentation for instructions.
2. Register the IdP with the Broadcom self-service portal. Complete Steps 1 through 5 in the Identity Provider section in the Account Self-Service documentation.
3. Add all required administrators to the appropriate Broadcom services. For service-specific instructions, refer to the following table, “Add Administrators to a Broadcom Service”.

Important Notes

• Ensure that each administrator's accounts in the IdP and in all Broadcom services are defined using the same email address.
• Ensure that all administrators have appropriate permissions to access the services.
• Keep the accounts in the Broadcom services and in the IdP in sync. If you add or remove accounts either in a service or in the IdP, replicate the changes to the other system. For example, if you added administrators to Cloud SWG, add them to the IdP. If you add administrators to the IdP, add them to the service(s) that they are authorized to access. 

Services that support group-based access control: Whenever you synchronize user lists between the IdP and services, contact Broadcom Support to ensure that the user record is updated in Login and in all services. Otherwise, the sync can result in users with multiple identities in Login and mismatched names in services, which will cause access issues.

Add Administrators to a Broadcom Service