search cancel

Configure federated SSO with Broadcom Okta for multiple services

book

Article ID: 257647

calendar_today

Updated On:

Products

AppNeta Cloud Secure Web Gateway - Cloud SWG Cloud Workload Protection Cloud Workload Assurance CASB Advanced Threat Protection CASB Audit CASB Gateway CASB Gateway Advanced CASB Security Advanced CASB Security Advanced IAAS CASB Security Premium CASB Security Premium IAAS CASB Security Standard CASB Securlet IAAS CASB Securlet SAAS CASB Securlet SAAS With DLP-CDS Cloud Manager Cloud Manager Email Security.cloud Endpoint Security Complete

Issue/Introduction

Configure federated SSO to enable administrators to sign in to multiple Broadcom services with one set of credentials. Perform the following steps to ensure that all administrators can access their required services, with a minimal amount of downtime.

Environment

You can configure Broadcom Okta and SAML or a SAML-based IdP for one or more of the following services:

  • AppNeta
  • Cloud Secure Web Gateway (Cloud SWG)/Web Security Service (WSS)
  • Cloud Workload Assurance (CWA)
  • Cloud Workload Protection (CWP)
  • CloudSOC Cloud Access Security Broker (CASB)
  • Cloud Management Portal (CMP)
  • Email Security.cloud
  • Integrated Cyber Defense Manager (ICDm) 

Resolution

Whether you are configuring Broadcom Okta for the first time or you are switching to it from a previous SSO, all services that support SSO through Broadcom Okta will use your configured IdP. Before you adopt federated SSO, you must ensure that administrators have valid accounts in the IdP and in the service.

Important: Complete the following steps in the specified order. Otherwise, administrators might encounter the issue described in KB 256545.

 

Step 1: (If applicable) Migrate Administrators to New Email Addresses

If administrators in your organization are transitioning to new email addresses (for example, through company acquisitions), update the  addresses as required. For example, to migrate a group of administrators, update their email addresses from the previous domain to the current domain. 

Important: (Not applicable to ICDm) You must coordinate with Broadcom Support to migrate your administrators’ access to Okta, support.broadcom.com, and any other relevant sites. In addition, plan for a few hours of service disruption during the transition and communicate the information to administrators.

If you do not have to make changes to email addresses, proceed to "Step 2: Add All Administrators to the IdP".

 

Step 2: Add All Administrators to the IdP

Ensure that the IdP includes all of the administrators required for all of the Broadcom services that federate to Broadcom Okta. Refer to the IdP-specific documentation for instructions. 

Important: Use the same email address to define the administrator account in the IdP and in all Broadcom services. For example, use [email protected] in both the IdP and in the appropriate services as the username for the administrator H. A. Bullock.

 

Step 3: Add Administrators to Broadcom Services

Add all required administrators to the appropriate Broadcom services. Ensure that the administrators have appropriate permissions to access the services. For service-specific instructions, refer to the following table.

Reminder: Define each identity in the IdP and in all Broadcom services using the same email address.

Service Instructions
AppNeta

Single sign-on (SSO)

Users

Cloud SWG (WSS)

Add a Cloud SWG Administrator
CWA Managing user accounts in Cloud Workload Assurance
CWP

Managing user accounts

Configuring SAML 2.0 identity provider for OKTA

CloudSOC CASB Managing users
CMP Add or Delete CMP Administrators
Email Security.cloud

Federation and Single Sign-on for the ClientNet Portal

Add a new user to the portal in Email Security.cloud 

ICDm

Configure group-based administrative roles. 

Caution: If other Broadcom services were configured for Okta IdP previously, be careful not to inadvertently remove user lists when you configure the role mapping in ICDm.

Configuring a SAML 2.0-based identity provider for Integrated Cyber Defense Manager

Configuring Microsoft Azure using SAML 2.0 as your identity provider Integrated Cyber Defense Manager

 

Step 4: Enable SSO

Enable SSO to federate identities with Broadcom Okta:

  • For the ICDm portal only, enable the SSO link to Broadcom Okta. Refer to the links for ICDm in the preceding table.
  • For all other supported services, contact Broadcom Support to enable SSO with Broadcom Okta.
    If you scheduled a time with Broadcom Support to make changes to email addresses (described in “Step 1: Migrate Users to New Email Addresses”), enabling SSO consists of the following steps:
    • Broadcom updates the names in Okta and other required services/sites.
    • You grant SAML access to new services and disable SAML access to previous services.
    • Broadcom disables SSO access to previous services.

 

Step 5: Maintain the Configuration

After you configure the federation, keep the administrator accounts in the Broadcom services and in the IdP in sync. If you add or remove user accounts either in a service or in the IdP, replicate the changes to the other system. For example, if you add administrators to Cloud SWG, add them to the IdP. If you add administrators to the IdP, add them to the service(s) that they are authorized to access.

Services that support group-based access control: Whenever you synchronize user lists between the IdP and services, contact Broadcom Support to ensure that the user record is updated in Okta and all services. Otherwise, the sync can result in users with multiple identities in Okta and mismatched names in services, which will cause access issues.

In the future, your organization might plan rebrands, acquisitions, or other scenarios that require email address changes. To facilitate the transition, refer to “Step 1: Migrate Users to New Email Addresses” and perform the required steps.