Configure federated SSO to enable administrators to sign in to multiple Broadcom services with one set of credentials. Perform the following steps to ensure that all administrators can access their required services, with a minimal amount of downtime.
The Broadcom Login service and SAML or a SAML-based IdP can be configured for one or more of the following services:
Whether you are configuring Broadcom Login for the first time or you are switching to it from a previous SSO, all services that support SSO through Broadcom Login will use your configured IdP. Before you adopt federated SSO, you must ensure that administrators have valid accounts in the IdP and in the service.
Important: Complete the following steps in the specified order. Otherwise, administrators might encounter the issue described in the following article:
Administrators cannot log in to a Broadcom service after you configure federated SSO with Broadcom Login
If administrators in your organization are transitioning to new email addresses (for example, through company acquisitions), update the addresses as required. For example, to migrate a group of administrators, update their email addresses from the previous domain to the current domain.
Important: (Not applicable to SES) You must coordinate with Broadcom Support to migrate your administrators’ access to Login, support.broadcom.com, and any other relevant sites. Plan for a few hours of service disruption during the transition and communicate the migration timeline to administrators.
If you do not have to make changes to email addresses, proceed to "Step 2: Add All Administrators to the IdP".
Ensure that your IdP includes all the administrators required for all the Broadcom services that federate to Broadcom Login. Refer to the IdP-specific documentation for instructions.
Important: Use the same email address to define the administrator account in the IdP and in all Broadcom services. For example, use [email protected] in both the IdP and in the appropriate services as the username for the administrator H. A. Bullock.
Add the IdP details for your cloud services in the self-service portal. Complete Steps 1 through 5 in the Identity Provider section in the Account Self-Service documentation.
Add all required administrators to the appropriate Broadcom services. Ensure that the administrators have appropriate permissions to access the services. For service-specific instructions, refer to the following table.
Reminder: Define each identity in the IdP and in all Broadcom services using the same email address.
Service | Instructions |
AppNeta | |
Broadcom Support Portal |
Refer to your Broadcom product representative (for example, your Symantec, Clarity, or Rally point-of-contact) or Broadcom Global Customer Care (GCA) to enable SSO Federation with Broadcom’s customer identity tenant. After federation is set up, the Broadcom product team or Broadcom GCA will reach out to Broadcom’s Identity & Access Management (IAM) team to complete the configuration for federated access to the Broadcom Support Portal. |
CloudSOC CASB |
Contact Broadcom Support to configure Broadcom Login. See the Symantec CASB CloudSOC Release Notes for more information. |
Cloud SWG (WSS) |
Add a Cloud SWG Administrator |
CMP | Add or Delete CMP Administrators |
CWA | Managing user accounts in Cloud Workload Assurance |
CWP | |
Email Security.cloud |
|
SES |
Configure group-based administrative roles and enable the SSO link to Broadcom Login. Caution: If other Broadcom services were configured for Broadom Login previously, be careful not to inadvertently remove user lists when you configure the role mapping in SES. Configuring a SAML 2.0-based identity provider for Symantec Endpoint Security Configuring Microsoft Azure using SAML 2.0 as your identity provider in Symantec Endpoint Security |
After you configure the federation, keep the administrator accounts in the Broadcom services and in the IdP in sync. If you add or remove user accounts either in a service or in the IdP, replicate the changes to the other system. For example, if you add administrators to Cloud SWG, add them to the IdP. If you add administrators to the IdP, add them to the service(s) that they are authorized to access.
Services that support group-based access control: Whenever you synchronize user lists between the IdP and services, contact Broadcom Support to ensure that the user record is updated in Login and all services. Otherwise, the sync can result in users with multiple identities in Login and mismatched names in services, which will cause access issues.
In the future, your organization might plan rebrands, acquisitions, or other scenarios that require email address changes. To facilitate the transition, refer to “Step 1: Migrate Users to New Email Addresses” and perform the required steps.