Administrators cannot log in to a Broadcom service after you configure federated SSO with Broadcom Okta
search cancel

Administrators cannot log in to a Broadcom service after you configure federated SSO with Broadcom Okta


Article ID: 256545


Updated On:


Email CASB Advanced Threat Protection CASB Audit CASB Gateway CASB Gateway Advanced CASB Security Advanced CASB Security Advanced IAAS CASB Security Premium CASB Security Premium IAAS CASB Security Standard CASB Securlet IAAS CASB Securlet SAAS CASB Securlet SAAS With DLP-CDS Endpoint Security Complete Cloud Manager AppNeta Cloud Workload Protection Cloud Workload Assurance Support Portal


After you configure federated SAML single sign-on (SSO) with Broadcom Okta for one or more Broadcom services, administrators suddenly lose administrative access to their other Broadcom services.


Broadcom Okta and SAML or a SAML-based IdP are configured on two or more of the following services:

  • AppNeta
  • Broadcom Support Portal
  • Cloud Secure Web Gateway (Cloud SWG)/Web Security Service (WSS)
  • Cloud Workload Assurance (CWA)
  • Cloud Workload Protection (CWP)
  • CloudSOC Cloud Access Security Broker (CASB)
  • Cloud Management Portal (CMP)
  • Email
  • Integrated Cyber Defense Manager (ICDm)  

Note: Broadcom is aware of this issue affecting the services in this list. If other affected services are identified, this KB article will be updated.


When you configure federated SSO through Broadcom Okta, all services that support SSO through Broadcom Okta will use your configured IdP.  This change can cause the following unexpected behaviors:

  • If administrators in the other services do not have accounts in your IdP,  they are denied access to their services even if they had Broadcom Okta access previously. 
  • If administrators have accounts in the IdP but not in the other services, they authenticate successfully with Okta but cannot log in to the services.

For example, the following scenarios result in a mismatch between the administrators in the IdP and in Broadcom services:

  • During the ICDm IdP setup, you reconfigure the IdP to include only the users required for ICDm. If the ICDm user list is a subset of the user list for previously configured services, Okta no longer has the complete user list. Administrators that are not included in the ICDm list cannot log in to services.
  • An administrator has an account (with email address [email protected]) in Email with Okta SSO. The administrator also has an account in AppNeta, but with a different email address ([email protected]). If you enable Okta SSO through AppNeta, the identity associated with the first email account is not included in the AppNeta user list. As a result, the administrator cannot log in to services.


Administrators must have valid accounts in the IdP and in the appropriate services. Compare the list of administrators in the IdP with the list of administrators in the services. Then, ensure that all administrators have valid accounts in the IdP and in the services.

Complete the following steps in the specified order:

  1. Ensure that the IdP includes all of the administrators required for all of the Broadcom services that federate to Broadcom Okta. Refer to the IdP-specific documentation for instructions.  
  2. Add all required administrators to the appropriate Broadcom services. For service-specific instructions, refer to the following table, “Add Administrators to a Broadcom Service”.

Important Notes

  • Ensure that each administrator's accounts in the IdP and in all Broadcom services are defined using the same email address.
  • Ensure that all administrators have appropriate permissions to access the services.
  • Keep the accounts in the Broadcom services and in the IdP in sync. If you add or remove accounts either in a service or in the IdP, replicate the changes to the other system. For example, if you added administrators to Cloud SWG, add them to the IdP. If you add administrators to the IdP, add them to the service(s) that they are authorized to access. 

Services that support group-based access control: Whenever you synchronize user lists between the IdP and services, contact Broadcom Support to ensure that the user record is updated in Okta and in all services. Otherwise, the sync can result in users with multiple identities in Okta and mismatched names in services, which will cause access issues.

Add Administrators to a Broadcom Service

Service Instructions

Single sign-on (SSO)


Broadcom Support Portal

Refer to your Broadcom product representative (for example, your Symantec, Clarity, or Rally point-of-contact) or Broadcom Global Customer Care (GCA) to enable SSO Federation with Broadcom’s customer identity tenant. 

After federation is set up, the Broadcom product team or Broadcom GCA will reach out to Broadcom’s Identity & Access Management (IAM) team to complete the configuration for federated access to the Broadcom Support Portal.

Cloud SWG (WSS)

Add a Cloud SWG Administrator
CWA Managing user accounts in Cloud Workload Assurance

Managing user accounts

Configuring SAML 2.0 identity provider for OKTA


Managing users

Contact Broadcom Support to use the Broadcom Login feature. See the Symantec CASB CloudSOC 3.159 Release Notes for more information.

CMP Add or Delete CMP Administrators

Federation and Single Sign-on for the ClientNet Portal

Add a new user to the portal in Email 


Configure group-based administrative roles. 

Caution: If other Broadcom services were configured for Okta IdP previously, be careful not to inadvertently remove user lists when you configure the role mapping in ICDm.

Configuring a SAML 2.0-based identity provider for Integrated Cyber Defense Manager

Configuring Microsoft Azure using SAML 2.0 as your identity provider Integrated Cyber Defense Manager