search cancel

Administrators cannot log in to a Broadcom service after you configure federated SSO with Broadcom Okta

book

Article ID: 256545

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG Email Security.cloud CASB Advanced Threat Protection CASB Audit CASB Gateway CASB Gateway Advanced CASB Security Advanced CASB Security Advanced IAAS CASB Security Premium CASB Security Premium IAAS CASB Security Standard CASB Securlet IAAS CASB Securlet SAAS CASB Securlet SAAS With DLP-CDS Endpoint Security Complete Cloud Manager AppNeta Cloud Workload Protection Cloud Workload Assurance

Issue/Introduction

After you configure federated SAML single sign-on (SSO) with Broadcom Okta for one or more Broadcom services, administrators suddenly lose administrative access to their other Broadcom services.

Environment

Broadcom Okta and SAML or a SAML-based IdP are configured on two or more of the following services:

  • AppNeta
  • Cloud Secure Web Gateway (Cloud SWG)/Web Security Service (WSS)
  • Cloud Workload Assurance (CWA)
  • Cloud Workload Protection (CWP)
  • CloudSOC Cloud Access Security Broker (CASB)
  • Cloud Management Portal (CMP)
  • Email Security.cloud
  • Integrated Cyber Defense Manager (ICDm)  

Note: Broadcom is aware of this issue affecting the services in this list. If other affected services are identified, this KB article will be updated.

Cause

When you configure federated SSO through Broadcom Okta, all services that support SSO through Broadcom Okta will use your configured IdP.  This change can cause the following unexpected behaviors:

  • If administrators in the other services do not have accounts in your IdP,  they are denied access to their services even if they had Broadcom Okta access previously. 
  • If administrators have accounts in the IdP but not in the other services, they authenticate successfully with Okta but cannot log in to the services.

For example, the following scenarios result in a mismatch between the administrators in the IdP and in Broadcom services:

  • During the ICDm IdP setup, you reconfigure the IdP to include only the users required for ICDm. If the ICDm user list is a subset of the user list for previously configured services, Okta no longer has the complete user list. Administrators that are not included in the ICDm list cannot log in to services.
  • An administrator has an account (with email address [email protected]) in Email Security.cloud with Okta SSO. The administrator also has an account in AppNeta, but with a different email address ([email protected]). If you enable Okta SSO through AppNeta, the identity associated with the first email account is not included in the AppNeta user list. As a result, the administrator cannot log in to services.

Resolution

Administrators must have valid accounts in the IdP and in the appropriate services. Compare the list of administrators in the IdP with the list of administrators in the services. Then, ensure that all administrators have valid accounts in the IdP and in the services.

Complete the following steps in the specified order:

  1. Ensure that the IdP includes all of the administrators required for all of the Broadcom services that federate to Broadcom Okta. Refer to the IdP-specific documentation for instructions.  
  2. Add all required administrators to the appropriate Broadcom services. For service-specific instructions, refer to the following table, “Add Administrators to a Broadcom Service”.

Important Notes

  • Ensure that each administrator's accounts in the IdP and in all Broadcom services are defined using the same email address.
  • Ensure that all administrators have appropriate permissions to access the services.
  • Keep the accounts in the Broadcom services and in the IdP in sync. If you add or remove accounts either in a service or in the IdP, replicate the changes to the other system. For example, if you added administrators to Cloud SWG, add them to the IdP. If you add administrators to the IdP, add them to the service(s) that they are authorized to access. 

Services that support group-based access control: Whenever you synchronize user lists between the IdP and services, contact Broadcom Support to ensure that the user record is updated in Okta and in all services. Otherwise, the sync can result in users with multiple identities in Okta and mismatched names in services, which will cause access issues.

Add Administrators to a Broadcom Service

Service Instructions
AppNeta

Single sign-on (SSO)

Users

Cloud SWG (WSS)

Add a Cloud SWG Administrator
CWA Managing user accounts in Cloud Workload Assurance
CWP

Managing user accounts

Configuring SAML 2.0 identity provider for OKTA

CloudSOC CASB Managing users
CMP Add or Delete CMP Administrators
Email Security.cloud

Federation and Single Sign-on for the ClientNet Portal

Add a new user to the portal in Email Security.cloud 

ICDm

Configure group-based administrative roles. 

Caution: If other Broadcom services were configured for Okta IdP previously, be careful not to inadvertently remove user lists when you configure the role mapping in ICDm.

Configuring a SAML 2.0-based identity provider for Integrated Cyber Defense Manager

Configuring Microsoft Azure using SAML 2.0 as your identity provider Integrated Cyber Defense Manager